code

Friday, January 25, 2019

Demystifying PayPal phishing campaign


Recently, one of my email addresses has become a victim to many email phishing campaigns, pretending to be from PayPal:


The email states that your account has been limited and asks you to download the attached HTML file and sign in to your account in order to restore activity to your account. The sender email address is 'service@paypal.co.il' and a quick look on the email source reveals it's from a SNMP server which IP is found out to be originated in Israel. This IP is still responding as of today.






Upon downloading the HTML file and inspecting it, we see it has a really long string which is ran by JavaScript unescape() function when loaded to the browser, then the output is written to the current page, thus dynamically building the web page. Interesting thing found here, is that there's a comment stating 'HTML Encryption provided by al-a7mari.blogspot.com' – which is found out to be a blog written in Arabic.




After unescaping that long string, we receive some obfuscated functions and strings that write more data dynamically to the page. This seems to be the main one (I changed some of the variables names to be more readable):




The function 'ahex()’ is used multiple times in the code, each time deobfuscating some hard-coded strings, which translate them to HTML and JS code, that are being written to the page.
This is how the page looks like when loaded from the browser:

     Yeah right


The page is even using some assets and css files received from a real PayPal domain -  "paypalobjects.com". This, for example, is the company logo used in the phishing page:

When trying to see the source file or inspect the page from the browser, we receive an alert saying "This page is protected". LOL 😂
If you don't enter some fields on the login page, you receive an alert:
Always check your spelling when phishing


When entering the credentials, a new DIV is visible by being changed to 'block' programmatically, showing the same page again but with an error stating the password you entered is incorrect (obviously no matter what you'll enter you get this error page. Both username and password pairs you entered in the first and second page are later being sent to the server. This is probably used to check you entered the same credentials twice).

The next 2 DIVs that are being shown, are: a page that asks you to enter some general info (name, address, phone number etc) and a page asking you to enter your credit card info. Some of the tests the code does is to ensure you entered the fields correctly - checks email regex, password length above 8, credit card length to be 15 chars or more and CVV 3 chars or more.


Upon sending the form, the POST request is sent to https://xteronger.tk/zoom.php .








This server seems to be located at DigitalOcean cloud service based on its IP (68.183.124.17), and it's still alive as of today.
Some of the fields being sent to the server are: both of the PayPal usernames and passwords you entered (as mentioned earlier), your credit card number including CVV and exp. date, your address, your user-agent and more.
The POST request looks like this:



And if you want to fight back :P, here are the parameters being sent to the server:




Here's a screenshot from another HTML received from the same email address and being sent to the same domain name https://xteronger.tk
This one is pretending to be a different PayPal page:



Alert your friends and family, this campaign seems to be persistent and sends multiple emails each period of time. Stay safe :)







What happens when you combine a Flipper Zero with Gameboy Color?

      Hello my fellow vintage geeks . If you're a 90s kid and had style you probably owned an A...