neonprimetime security , just trying to help: Apple Phish

Thursday, February 16, 2017

Apple Phish

@illegalFawn posted some phishing sites.

One of them was hxxp://login-memberupdated[.]info/appleid.apple.com

If you view source, there's not much there because they're trying to obfuscate and avoid detection by various security tools.

On the top it's interesting, looks like the phish likely involves collecting the user's credit cards.

On the bottom you see some ugly encrypted variables and then a call to Aes.Ctr.decrypt to decrypt it. To determine what this is, you can save the assets/js/enc.js file, append to the bottom of it the 3 variables (hea2p, hea2t, and output) and put html and script tags around, then load save as a .html file, so you've created a safe benign html file that creates some variables but doesn't actually execute or write anything to the page.

Then load that html file locally in your browser. Notice the page will load as a blank white page, but that's ok. Then hit f12, go into developer tools, go to the console, type 'output' to display the contents of the output variable.

Now if you're familiar with HTML you can quickly see it's the apple phish page that we saw in our first screenshot. You'll see an iframe used for loading the signin page content.

If you were to login to that page you would find the username, password fields, login button, and php page that the login is posted to. That is going to be the page harvesting the credentials.

If you were to enter your credentials, the phish tells you your account is locked and you must unlock it.

Now we get sent to a verify page ( Verify.php ) which wants us to enter in all kinds of personal info.

Including as we already assumed from above based on the javascript credit card filtering, it asks for your credit card number.

If you enter all your personal info if will say account verified (and in this case apparently a php error) ... then redirect you back to the real appleid login page.