MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Dissection of a fraudulent package. Wachovia phishing attack

In one of our most recent posts have published a series of links to phishing pages against various entities. Today we will analyze one of them, an attack aimed at Wachovia bank customers.

To this end, we got the full kit and have begun to analyze the files contained in it. Basically there are a few files PHP, HTML, various images and three style sheets.

If we look at one of the php files: BiMaR.php, we see the following:

So far so normal, typical data collection forms shown and sending a couple of email addresses.

But if we look in detail, we see that line 4 is somewhat peculiar. The variable $messege is misspelled and is not used in the rest of the script, instead using the variable $message. Moreover, its value is a base64 encoded string. If the decode get this:

$send = "";

A couple of e-mail ... weird.

We analyze one of the files: details.php, and we are having another striking piece of code:

If you decode the string we get two email addresses:,

Under this scenario, our first thought is that perhaps we are witnessing a backdoor, through which the creator of phishing data pack to steal their customers. To make matters worse, in that parts of the code file is somewhat strange: the first isn't very well formed and the second with the eval function is very suspect.

To go deeper into the analysis, we proceed to install the package into a web server and surf the fraudulent site, filling in the fields to see the behavior of the pack.

Once we reached the last step, and confirm the data, the page makes the expected private information sent via SMTP, with one exception: the destination addresses aren't any that we located in php files.

Quickly do a search of the addresses in the entire directory, including the images, but with negative results. Obviously, from somewhere have to leave all these directions, but ... where?

Listing directory that houses the images and style sheets can be seen that the size of one of the CSS file is much larger than others, so I edit. Everything seems normal until after the middle of a block file are unreadable, even appearing as Chinese characters, which obviously has all the hallmarks of being the cause of unexpected behavior.

We finished rolls up and review the PHP files to track and finally get results. The file AuthService.php has several functions that are somewhat cryptic calling each other forming a chain.

So we put a couple of "echos" in strategic places and presto!, Our friend appears before our eyes:

A code similar to the file BiMaR.php but with 6 different email addresses, which is where you actually send the stolen information.
We thus face a diversion of the phishers, which conjurers who put us in the eyes what they want to believe, while the actual operation beyond superficial looks.

An important fact which emerges from the analysis against the server is that within the same pages are also posing as the other two banks, Lloyds TSB:

And Bank of America, both with the same defense mechanism in the CSS.

As we see, the mechanisms used for phishing attacks also perfected every day, not just around their attack strategies, but also on their defense mechanisms, which in this case, running a diversion interesting.

Related information
Phishing database I
Phishing Kit In-the-Wild for cloning website, version 2
Phishing Kit In-the-Wild for cloning website
Phishing y "cuentos" en navidad
Phishing para American Express y consejos

Ernesto Martin
Crimeware Researcher in Malware Intelligence

0 comentarios:

Post a Comment