Back at it with another phishing breakdown

Notice: I am not a Javascript/jQuery expert, so there may be errors in how I describe things. If you have a correction, please let me know and I’ll update the article.

The other day I got a notice from Microsoft 365 stating that I had a phishing email that was stopped and needed to be reviewed since it was in quarantine. Pulled up the email and it was a pretty simple ploy: alert your password is going to expire and click this link to keep it the same. The email was sent to an email address that got released thanks to a data breach from a “Commission-free stock trading & investing app”

The headers of the email show that the email most likely came from a compromised Exchange mail server ilmyyowk[.]talemarketing[.]com (92[.]52[.]217[.]6) and was sent directly to Microsoft 365. The domain had a proper SPF record and a successful DKIM check which is what lead me to believe that it was a compromised mail server

spf=pass  (sender IP is 92.52.217.6) smtp.mailfrom=talemarketing.com; dkim=pass  (signature was verified) header.d=talemarketing.com;dmarc=pass  action=none header.from=talemarketing.com;compauth=pass reason=1004Received-SPF

I was able to then get the link from the picture/button in the email to see what the payload that it was trying to load (luckily I downloaded the source code, as this site and domain was already taken down). The payload was just a basic web mail look-alike login page

The kicker with this to make it look more real, in the link that was clicked on there was my email tacked onto the end of the link

hxxps[://]ipfs[.]fleek[.]co/ipfs/bafybeibl3wh6gv3ubrffw46pky7dq6mdicslb45eodhugwgcx7wpcudhl4#<my email address>

When looking at the source code of the page, saw that there was a massive chunk of URL escape text that had a JavaScript snippet telling it to unescape and write it to the DOM (Document Object Model, the layout of the actual webpage). This turned out to be the HTML code for the webpage itself after it was decoded

Unescaped

Escaped

Below the unescaped text was all the JavaScript code that got executed when the page loaded, so let’s start going thru that section by section.

This code chunk essentially does it disables being able to copy or paste, refresh the page, or be able to undo as it hijacks/listens to the keys pressed and disables any of the key combinations needed to do the above. It also disables the right-click menu so you aren’t able to do that either.

At this point we are starting to get into some of the more tricky parts of the code as this next section is partially responsible for why it can look so convincing. For this example we are going to use the email address test[@]microsoft[.]com just to show the process that it goes thru. When you first clicked on the link, the email address that I received the inital email at was at the end of the link after a # symbol (this is important). Let’s load the webpage with a similar link that was originally provided

Example Microsoft email address

Notice how the email at the top is the same as in the email field of the login portion, and its using Microsoft’s logo? If we were to change it to another company’s email address (such as Google), it will load said company’s logo based on the email address

Example Google email address

This nifty trick is done by utilizing and abusing ClearBit’s free public Logo API, where you can search any company’s domain and it’ll attempt to return that company’s logo just by parsing out the email address and pulling the domain name to use to look it up (see code chunk below)

First, it creates a new email variable, then parses the URL and saves the contents after the # symbol to that variable (in this case, its the emil address test@microsoft.com). If there is no email address present, it doesn’t do anything. If there is an email address present, it goes thru and does the following:
1. Sets the value of the #email field of the webpage to the value of the variable (this is the id of the email address field in the login section).
2. It takes the value of the email variable and tests it against the regex string, which (poorly) verifies that the email address is a properly formatted email address.
— If the email address is not properly formatted, it will show an error message stating that the account doesn’t exist and to try another account.

Improper formatted email address error messgae

The next portion is how it gets the company logo. It takes the value of the email variable and it creates an index of the length (starting at zero) and measures where in the index is the @ symbol, thus essentially splitting the email address username from the email domain, and saves that to a new variable. It then creates a new variable, my_slice , which saves the email domain and then writes a new varaible for the supposed website (ex. if your email was test[@]microsoft.com, it would set the value of my_slice to microsoft.com ). Using this, it when queries ClearBit’s Logo API using that domain and sets the logo image to the company image that it loads. It also attempts to set the login page’s background to the domain’s main page (ex. it’ll attempt to set the background of the login page to the same as hxxps[://]microsoft[.]com). Finally, it sets the value of the email portion of the form to the email address that it’s using.

At this point, someone has probably already entered their email and password and clicked the Sign In button. When this happens it runs the next major chunk of JavaScript code.

At the beginning of the script it created a variable count and set it to 0 for this upcoming use. When you enter your email and password, then click Sign In, it increments that counter by 1. It then performs an jQuery AJAX POST call, which is an asynchronous REST POST call, just like if you were to use curl to do curl -X POST . It sets the data format to JSON, saves the email and address to the data payload then sends the POST request to the address hxxps[://]colegiomayorzurbaran[.]es/wp-includes/cino[.]php. At this point the hacker has your login information and your account is essentially compromised. When doing this I tried to see if I could figure out what was going on on the other end but that page and the domain were already taken down. This was most likely a compromised web server that had a vulnerable WordPress plugin so the attacker took control of that server to host their malicious application (its very common to determine if a website is running on WordPress when in the url it contains wp-includes . If you look at the browser’s network traffic logs, you can see the POST request with all the headers and your cleartext credentials.

From the phisher’s side of things, to make it more likely to successfully get the credentials, when you click Sign In it changes the text in the button to say “Verifying…” and then shows an error message stating “Invalid Password.! Please Enter your correct Password” (this should be a slight hint that its not real, as I highly doubt that any webmail login page would have a punctuation error like using both a period and exclamation point). The user at this point would think that they fat fingered it and then enter their information again and click Sign In.

The three functions (success, error, and complete) are functions that run in response to the jQuery AJAX.

When successful:
1. It’ll show that error box stating that its an Invalid password, prompting the user to enter their information again, and outputs the response to the DevTool’s Console.
2. It blanks out the password field.
3. This is where that count variable comes into play. It checks to see if the value is greater than or equal to 2 (it would be if you were to enter your credentials and clicked Sign In twice), then if true it replaces the webpage with another custom webpage that just shows that “you’ve successfully kept your password the same”. The webpage url is hxxps[://]storageapi[.]fleek[.]co/65fece54-b379–4088-a228–4613dcc6de87-bucket/complete[.]html#<email address>.

The funny part about this is that the person that wrote this phishing attack was lazy and it loads the page whether it was successful or not (if there was an error in the POST request, it still loads the same page).

On this page, even though that it looks pretty simple and harmless, there is still some weird stuff going on. Examining the source code of this page, it disables the use of the following key combos with CTRL: i (shows page info), 9 (on the numpad), j (starts a search using your browser’s default search engine), * (on the numpad), u (brings up the URL bar), and f6 (skips to web contents of the page). After waiting for a couple seconds, it will then redirect you to the default webpage of your domain (ex. hxxps[://]microsoft[.]com) so that it looks like everything was actually successful.

Conclusion: This was a really fun project to attempt to reverse engineer as I know a very little bit of JavaScript (tried to learn it at one point but was unsuccessful and ended up giving up). Doing this I was able to learn a bit more on how JavaScript and jQuery works and moving forward I believe that I’ll be able to read the source code of malicious payloads like this easier. Who knows, maybe this will re-ignite my desire to actually sit down and learn JavaScript.

IOCs:

URL - https://ipfs.fleek.co/ipfs/bafybeibl3wh6gv3ubrffw46pky7dq6mdicslb45eodhugwgcx7wpcudhl4
Mail server - ilmyyowk.talemarketing.com
Domain - talemarketing.com
IP (Sender mail server) - 92.52.217.6
URL - https://logo.clearbit.com
Domain - colegiomayorzurbaran.es
Webpage - https://storageapi.fleek.co/65fece54-b379-4088-a228-4613dcc6de87-bucket/complete.html