Apple Phishing email leads to a fake Apple login page


Today, I'm looking at a phishing email sent to my Hotmail account. At first glance, it looks pretty standard; set to "High Importance" and littered with exclamation points to create a sense of urgency, the Apple logo and a real Apple support link at the bottom for legitimacy, and an IP address to create a sense of technicality. However, there are a few giveaways:

  • Misspellings and bad grammar throughout
  • Apple link and boilerplate text at the bottom are for Apple Australia, which is the wrong country for the intended target
  • IP address belongs to Comcast, which is not the ISP of the intended target
  • Generic greeting (Dear Apple User!) rather than a personalized greeting
  • The iPhone image is loaded from an external source that a legitimate Apple email would not be using (Wikimedia) and has Indonesian (i.e. Malay) alt text (alt="Hasil gambar untuk iphone 6" src="hxxps://upload.wikimedia.org/wikipedia/commons/thumb/0/01/IPhone6_silver_frontface.png/150px-IPhone6_silver_frontface.png")
  • The “Login” link uses Twitter’s URL shortener (hxxps://t.co/eaUfPohNET?ID=5FHF3DYZBZNM5AXR2Y76K9VCODQZI401TGWEBPL3F8JUSH) and pops out to a new window

    One interesting addition is the use of an image embedded in the email to convince the user that it’s safe; “this message is from a trusted sender”. In Outlook.com, notification messages are shown with a particular format, and the image mimics that format. However, the legitimate notifications from Outlook (message was moved to the Spam folder, and message was sent with high importance) are loaded as HTML elements, created through the use of div tags and class attributes. For example:
    <div class="_rp_l2 ms-font-s _rp_n2" role="note" aria-live="polite" aria-relevant="all"><div class="_db_F customScrollBar scrollContainer"> <div><div><div class="_db_w ms-bg-color-neutralLight"> <div><div class="_db_g ms-bgc-nt"></div></div> <div class="_db_v"> <div class="_db_r ms-font-color-neutralSecondaryAlt ms-font-weight-regular"> <div class="InfobarImmediateTextContainer _db_s"> <span autoid="_db_4" class="_db_q" style="display: none;"></span> <span autoid="_db_5" class="_db_q">This message was sent with high importance.</span> </div> </div> </div> </div></div></div> </div></div>
    The fake trusted sender notification is just an embedded image:

    There wasn’t anything interesting in the metadata. You can tell the difference between the real and fake notifications by trying to move them; the real notifications don’t respond to mouse input, but the fake notification can be selected and moved because it’s just an image.
    Enough about the email, let’s find out what it does. The Twitter shortened link expands to hxxps://appleid.apple-account-0945.com/_
    Surprise, it’s not Apple. This domain was registered 2 days ago to someone in Australia:
    Updated Date: 2018-05-07T23:54:36Z
    Creation Date: 2018-05-07T23:54:36Z

    Registrant Name: Local Government Network Australia New Zealand
    Registrant Organization: Local Government Network Australia New Zealand
    Registrant Street: 50 Alicia Street
    Registrant City: Athol Park
    Registrant State/Province: NSW
    Registrant Postal Code: 4164
    Registrant Country: AU
    Registrant Phone: +61.0451286800
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: soisoiteme@gmail.com

    I especially like the name, “Local Government Network” as if that’s enough to convince anyone it’s legitimate. Following the link takes you to a passable fake Apple login page:

    All the links on this page redirect back to the page itself. The page loads some Javascript that does input checking for credit card and social security numbers, along with date of birth. Parts of some of the scripts on the page, such as variable names, are in Malay and Javanese (kerualan, udud), further indicating the origin of this campaign. So it looks like a standard credential harvesting site, possibly an account takeover site where once you give them your login credentials they lock your Apple account and demand payment to turn it back over. One other interesting thing is that it appears the bulk of the site is created with AES encrypted and base64 encoded Javascript, possibly to avoid detection by an IDS. However, the decryption key is contained in the script itself, which makes analysis possible:
    <script> var gentot = ('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); var udud = 'FwPgjcsZ81rmKT8GppZ1FXZH6FcacjBVwAXgPunF4eWASHE6w+ ...snip... U4yMiecTb7L67G3+dEfgKs35qATV+'; var keluaran = Aes.Ctr.decrypt(udud, gentot, 256); document.write(keluaran)
    </script>

    Comments

    Post a Comment

    Popular posts from this blog

    Javascript-based cryptocurrency mining script injection

    Image
    While looking closer at the Showtime embedded cryptocurrency miner mini-scandal, I wondered how many other pages had Coinhive embedded. After a quick Google search, I found several sites that seemed to have the crytocurrency mining code embedded, apparently without the page owners' knowledge, based on the content of the page. The code was embedded within an invisible iframe (a red flag) and the intermediate site that redirected to Coinhive has a history of malware activity. Interestingly, the frame was not always present, forcing a visit to Google's cache: Presumably compromised site: Injected frame: recaptcha-in.pw source code, in its entirety: We see the call to the Coinhive javascript file (coinhive.min.js). A quick search for the script shows expected results for cryptocurrency mining sites, but also a selection of possibly compromised sites: enrollsa.com/locations eduedgepro.com newmarketcomputerservices.com/slide-page/company/ sugar-packed.com arifpu
    Read more

    Domain siblings and contents of the second javascript file

    Image
    In my previous post, we saw that someone is apparently injecting Monero-harvesting code into what appear to be compromised websites. One method was to inject an invisible frame with a page that contained a script calling https://coin-hive.com/lib/coinhive.min.js, which is the Coinhive javascript Monero miner. Another method, present on the same page (presumably in case the browser used didn't support frames) was to directly call a javascript file from a different site. The contents of this javascript file is an array of numbers, followed by a loop. This code extracts ASCII codes from the string of numbers, revealing obfuscated HTML. The result calls the same Coinhive miner, but also another script that appears to create a bunch of ads. I'll run that on a victim machine and post the output later. In the meantime, both methods used the same Coinhive script with the same unique site ID. This ID is to identify what account gets credited with the site owner's share of
    Read more