Thursday, 3 September 2015

PayPal Phishing using Obfuscated HTML Attachments

PayPal phishing campaign which uses Obfuscated HTML attachments has been active since past few months.

In most cases, the HTML attachments which are sent for phishing the credentials are not obfuscated. This allows easy static analysis and they are detected successfully by products. However, obfuscated HTML pages make it difficult to detect them.

In this article we will look at Obfuscated HTML attachments used in PayPal Phishing campaigns and how they can be effectively analyzed.

Obfuscated HTML attachment looks as shown in Figure 1.

 Figure 1: Obfuscated HTML Page 

The PayPal Phishing page when opened with a Browser, looks as shown in Figure 2. We can see that it requests personal information from the user.

Figure 2: PayPal Phishing Page

Now, let us look at how the HTML page can be deobfuscated. We can see in Figure 3 that after the code is deobfuscated, it is displayed in the Browser using document.write()

Figure 3: Document.write in Obfuscated HTML page.

To see the deobfuscated code, we will display the value in a textarea box. This can be done by modifying the document.write() statement in the original obfuscated HTML page as shown in Figure 4.

Figure 4: Modify document.write() in Obfuscated HTML page 

When we open the modified HTML page with Browser, we can see the complete deobfuscated code as shown in Figure 5.

Figure 5: Deobfuscated HTML Page 

If we look at the HTML form in the deobfuscated page, we can see that the HTML form's action points to as shown in Figure 6. In most of the phishing HTML pages, we see that HTML form's action field points to attacker's controlled webserver. However, this is what makes this instance of PayPal phishing interesting.

Figure 6: HTML Form's action field in deobfuscated HTML page. 

So, how is the HTML Form's action field modified at runtime? It is done using the JavaScript function, initsub(). In Figure 7, we can see that the JavaScript function, initsub() is called when the HTML form is submitted.

Figure 7: JavaScript function called when HTML form is submitted.

The JavaScript function, initsub() is shown in Figure 8.

Figure 8: JavaScript function, initsub()

We can see an obfuscated array in the above JavaScript. The array variable name is: _0xf7b4. This array contains strings which are represented using the ASCII value of corresponding bytes. To display the actual strings, we can use Mozilla Firefox's Web Console as shown in Figure 9.

Figure 9: Decode the Array using Firefox's Web Console

When we enter the array name in the Web Console, all the strings will be printed.

We can identify the HTML form's action URL as shown below:

var _0x13632f = "fb60d411a5c5b72b2e7d3527cfc84fd0.php";
var _0x1a7d65 = _0xf7b4[2] ;

The complete URL is:

Whois look up information for the domain, shows that it was registered on 17th August 2015.

Most of the domains used in this PayPal phishing campaign have been registered recently by the attackers.

I will soon post a list of different domains and the complete URLs used for phishing.