In my previous post, I discussed the different methods used by fraudsters to store and deliver stolen data from phished users. Even though drop-boxes are the most popular, nowadays we still notice several kits using old-style delivery methods. As a proof of concept, we detected a phishing kit employing a vulnerable “Form to Email" program to deliver the collected credentials to the fraudsters’ drop-box. As already discussed, the big advantage of adopting this technique is that the server hosting the phishing website does not need to be capable of running dynamic content, and so static HTML-only pages can be employed.However, the amount of information that can be retrieved from users these days is larger than in the past; a couple of usernames and passwords is no longer enough information, since other pieces of data are often required to accomplish the fraud (for example, the user’s disposal password or the number of a credit card). Due to the amount of data that needs to be collected and the requirement for necessary steps in mimicking the legitimate site, a type of dynamic behavior has to be introduced by the attackers to allow input data to flow from one page to the other before being finally submitted to the “Form to Email" script. In a recently identified attack, we noticed a smart JavaScript trick that was used to work around this issue. The username and password are requested in the first page and then sent to the second page via the HTTP GET method. The second page was indeed able to retrieve this data by using a JavaScript function, which was in charge of writing it down into hidden input parameters. The page then makes a request for the disposal password before submitting all of the data collected to the “Form to Email" script.The figure below shows the call to a JavaScript function called getValue(), responsible for retrieving, from the URL, the arguments passed by the previous page:
This is accomplished through parsing the URL, looking for the value of the parameter provided as an argument. The task is accomplished using the piece of code below:
The first time we looked at it, the code surprised us: while the phishing kit was quite interesting (the HTML code surrounding it was found to be obfuscated using various techniques), there were too many comments, explaining exactly what the script was doing, line by line.After some further research, it turned out that this piece of JavaScript has been borrowed from a public forum; the fraudster simply copied and pasted it into this kit. So, I’m wondering—do fraudsters apply the software engineering principles of code reuse like other programmers?