Recently,
one of my email addresses has become a victim to many email phishing campaigns, pretending to be from PayPal:
The
email states that your account has been limited and asks you to download the
attached HTML file and sign in to your account in order to restore activity to
your account. The sender email address is 'service@paypal.co.il' and a quick
look on the email source reveals it's from a SNMP server which IP is found out
to be originated in Israel. This IP is still responding as of today.
Upon
downloading the HTML file and inspecting it, we see it has a really long string
which is ran by JavaScript unescape() function when loaded to the browser, then the
output is written to the current page, thus dynamically building the web page. Interesting
thing found here, is that there's a comment stating 'HTML Encryption provided
by al-a7mari.blogspot.com' – which is found out to be a blog written in Arabic.
After
unescaping that long string, we receive some obfuscated functions and strings that write
more data dynamically to the page. This seems to be the main one (I changed
some of the variables names to be more readable):
The
function 'ahex()’ is used multiple times in the code, each time deobfuscating
some hard-coded strings, which translate them to HTML and JS code, that are being
written to the page.
This
is how the page looks like when loaded from the browser:
 |
| Yeah right |
The
page is even using some assets and css files received from a real PayPal domain -
"paypalobjects.com". This, for example, is the company logo used in the phishing page:
When
trying to see the source file or inspect the page from the browser, we receive
an alert saying "This page is protected". LOL 😂
If
you don't enter some fields on the login page, you receive an alert:
 |
| Always check your spelling when phishing |
When
entering the credentials, a new DIV is visible by being changed to 'block' programmatically,
showing the same page again but with an error stating the password you entered is
incorrect (obviously no matter what you'll enter you get this error page. Both username and password pairs you entered in the first and second page are
later being sent to the server. This is probably used to check you entered the
same credentials twice).
The
next 2 DIVs that are being shown, are: a page that asks you to enter some
general info (name, address, phone number etc) and a page asking you to
enter your credit card info. Some of the tests the code does is to ensure you
entered the fields correctly - checks email regex, password length above 8, credit
card length to be 15 chars or more and CVV 3 chars or more.
Upon
sending the form, the POST request is sent to https://xteronger.tk/zoom.php .
This server seems to be located at
DigitalOcean cloud service based on its IP (68.183.124.17), and it's still
alive as of today.
Some of the fields being sent to the server are: both of the PayPal usernames and passwords you entered (as mentioned earlier), your credit card number including CVV and exp. date, your address, your user-agent and more.
Some of the fields being sent to the server are: both of the PayPal usernames and passwords you entered (as mentioned earlier), your credit card number including CVV and exp. date, your address, your user-agent and more.
The
POST request looks like this:
And
if you want to fight back :P, here are the parameters being sent to the server:
Here's a screenshot from another HTML received from the same email address and being sent to the same domain name https://xteronger.tk
This one is pretending to be a different PayPal page:
This one is pretending to be a different PayPal page:
Alert your friends and family, this campaign seems to be
persistent and sends multiple emails each period of time. Stay safe :)
