Sunday, 1 October 2017

PayPal Phishing - Homographic Email Body

There's an ongoing PayPal Phishing Campaign in the wild which sends HTML attachments that spoof PayPal Forms and request users for sensitive information. This campaign was particularly interesting because the email body was encoded with Unicode characters which look similar to corresponding ASCII Characters.

Homographic attacks are usually performed to craft URLs which look like legitimate URLs by substituting some of the ASCII characters with their look alike Unicode characters.

However, in this particular campaign, the entire email body has been crafted using this technique.

Why apply Homographic Technique to Email Body?

Several Security Analysts as well as Security Vendors write static signatures which are crafted to detect patterns in the email body. The Homographic technique allows these static signatures to be easily bypassed because the attackers can mix ASCII as well Unicode characters to generate different patterns.

As an example, in the email shown in Figure 1 we can see that the email body looks like it's written in English Language. But if you pay close attention, you will observe that some of the English letters have been substituted with look like Cyrillic characters.

Figure 1
To get a better understanding of this, let's look at the email body with Unicode characters displayed with their equivalent encoding as shown in Figure 2.

Figure 2

The actual Unicode Encoded text is:

%D0%85%D0%B5ptember 29th 2017


It %D0%B0%D1%80pea%D0%B3%D1%95 t%D2%BBat some of y%D0%BEu%D0%B3 %D0%B3ec%D0%BE%D0%B3d%D1%95 %D2%BBav%D0%B5 g%D0%BEne miss%D1%96ng %D0%BEr be%D1%81%D0%B0me out%D4%81at%D0%B5d.

Now, if we look up the above unicode encodings, we can understand how the attacker has mixed ASCII with Unicode characters.

As an example, let's decode the string: "%D0%85%D0%B5ptember 29th 2017"

Unicode Characters are always encoded using 2 bytes.


You can look up the Unicode Values here:

In this way, we can see how the attacker has encoded the string: "September" by using Unicode Characters.

HTML Attachment Analysis

MD5 hash: bfe06c7da972a82477016193e5b3c3ac

The HTML attachment contains obfuscated JavaScript as shown in Figure 3. It uses HTML DOM to dynamically construct the PayPal HTML Form.

Figure 3

This is done by creating an HTML script tag dynamically with the src attribute set to: (shown in Figure 4).

Figure 4

After deobfuscating the above JavaScript, we can see the PayPal HTML form.

Another interesting technique is the dynamic replacement of the Action field in HTML form on  Submission.

The HTML Form looks as shown below:

<form name="ytrKbjzK" onsubmit="">
<input type=button class=submitBtn onClick=uF8Nu() value="Submit Form">

So, when the Submit button is pressed, the function,  uF8Nu() is invoked.

This function will dynamically replace from the HTML POST Action field with the URL: hxxp:// when the form is submitted as shown in Figure 5.

Figure 5

The actual HTML form looks like shown in Figure 6.


Below are some more HTML files from the wild which were sent in the same campaign and the corresponding email bodies were encoded using the technique described above.


No comments:

Post a Comment