“Kindly find attached PO for goods ordered this week, please send invoice so that we can do payment today. Our company details and VAT is on the invoice. Kindly confirm order and send invoice.”
At a glance, this mail seems pretty legit. If you are expecting a shipment or delivery you might even be inclined to click the attachment. Luckily most of us know how dangerous the Internet is and we know to mark the email as a scam (thanks Google for giving us this option). I recently received one such email and realised it was a scam as it was from a company that I was not expecting any deliveries from. The attachment was an HTML file which immediately raised a red flag.
But what if you don’t know any better? Unfortunately this article is not about spotting; it’s about the technicalities how phishing scams work. If you would like to learn about avoiding phishing scams, follow this link for some tips.
Phishing scams get more sophisticated by the day and as a result it is so important to understand how these scammers operate. If you know what to look for you will be able to keep your information safe, even if your password is password123 or your cats name.
1. The spoofed email
Most phishing scams start of with a spoofed email. Spoofing an email is basically using code to tell a server to send an email on behalf of someone else. Many languages support the ability to send an email using an SMTP server (a protocol used to send emails), including PHP, ASP, .NET and many more. If we look at PHP for example, we can construct a script to send an email easily by using the mail() class as follows:
mail("emailto@email.com", "Subject for your email", "Your email message", "Your email headers");
As you can see, the mail class takes four variables: the email it is sent to, the subject line, the message and the emails’ headers. The headers are what we are interested in as this is where the spoofing happens. You could define which email address the email comes from by constructing a custom header. An example of this could be:
$headers = 'From: a-trusted-companys-email@email.com' . "\r\n" . 'Reply-To: a-trusted-companys-email@email.com' . "\r\n" . 'X-Mailer: PHP/' . phpversion();
In the above example we are simply telling our emails to be sent as if they were sent from a-trusted-companys-email@email.com. You can also define the from name, which could return headers that look like this in your mail program: A Trusted Company <a-trusted-companys-email@email.com>. To the average person this looks like an official email and they might just open the attachment or link.
Most email clients like Gmail have very sophisticated spam filters which would block emails based on criteria, for example, who the email was signed by. Many people also report spam emails and as a result Google’s spam filter learns what to look out for. In my case, it came from the company’s official email address and because I have received emails from them before, Google did not mark it as spam.
A way scammers can get around spam filters is by miss-spelling the email address. This causes many mail clients to have a false positive as the email looks legitimate and since no one has reported the email address as spam; it might not get flagged. It could be something simple; like orders@delivery.com being spelt as orders@deliverys.com. It is very easy to miss this, especially if you don’t know any better.
Furthermore a scammer could for example, in the email message, include an HTML email template. If you consider the emails you get from your bank: they usually contain their logo, your name, an introduction paragraph and some useful links. It is VERY easy to fake this by building your own HTML email template and inserting a name as a variable. These scammers can get your name and email address in many ways: you might have signed up to a website that sold your data, or you might have filled in your details on a dodgy contact form somewhere. Data is traded all the time; so don’t assume that all websites will keep your data safe.
Many developers use it to send emails from a platform or software to a client or user; so they’re not all bad. You might use PHP headers to send an email from noreply@email.com, or many plugins might use PHP headers to send an email as if it was coming from you.
Although many email clients have solved email spoofing, it is important to always be alert and check who and where an email comes from, especially if it has an unusual attachment.
2. The attachment and its contents
Scammers send attachments in many forms and sizes. They might be a PDF, a ZIP file, an executable file (.exe), a link to an external website or in this case an HTML document. Most spam filters would check the content of an attachment and find malicious intent. Spam filters are able to detect viruses within a ZIP folder and generally do not allow any executable files to land in your inbox.
But sometimes the scammers bury the scam so deeply that Gmail might not pick up on it. In my case, Google might not have thought it strange that I was receiving an HTML file via email – it could have been someone sending me a webpage they saved. In general it is not easy to install software from a website onto a user’s machine, due to things like anti-virus programmes and spam filters. This is why phishing scams have become so popular as it relies on trickery and is often very hard to spot. I knew that the HTML file I received was virus free; so I downloaded the file onto my computer. It is important to note that you should not open HTML files in your browser as it might automatically redirect you to a malicious page, where it could install malware.
I opened the file in a text editor to see the actual HTML code. I was presented with an encoded string and one line of JavaScript code:
<script language=javascript>document.write(unescape('%0A%3C%4D%45%54%41%20%48%54%54%50%2D%45%51%55%49%56%3D%52%65%66%72%65%73...'))</script>
Because this is inline JavaScript, it would run our document.write function the moment the HTML page is opened. It then uses the unescape function to unescape the long string. The JS escape function is used to encode a string or URL into characters by removing for example spaces. If you look at the sample above, you might notice that %20 appears (and as we know, this is the character for a space within a URL).
I then changed the script to log the result to our console instead of writing it to our document using the JS console.log() function. It was then save to run the script as it would not execute the code in my viewport, but in the console. The result was the following:
<META HTTP-EQUIV=Refresh CONTENT="0; URL='data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPlZpZXcgRG9jdW1lbnQgPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVp...">
This is a data URI scheme. A data URI scheme is used to include data in-line within a web page. In this case it used base64 encoding to encode a URL, so our included in-line object was essentially an encoded string that was passed to the URL. This piece of code tells our browser to refresh itself, and then direct the page to our new URL (which in this case is data:text/html;base64, PGh….); our encoded string. I then copied the entire base64 string and decoded it using an online tool. The result was some more HTML code:
<html><head><title>Login </title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="robots" content="noindex">
<meta name="googlebot" content="noindex">
<meta name="googlebot-news" content="noindex">
<!--<meta http-equiv="refresh" content="0;url=http://.../_s_s_/login.php"> -->
<meta name="robots" content="noindex">
<meta name="googlebot" content="noindex">
<meta name="googlebot-news" content="noindex">
</head><body style="margin:0px;padding:0px;overflow:hidden">
<iframe src="data:text/html;charset=utf-8;base64,PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDt1cmw9..." frameborder="0" style="overflow:hidden; overflow-x:hidden; overflow-y:hidden; height:100%; width:100%; position:absolute; top:0px; left:0px; right:0px; bottom:0px"></iframe>
</body></html>
3. The iframe
If you look at the above code snippet, you’ll notice that we were presented with a basic HTML document containing an iframe. The iframe’s source is yet another base64 encoded URL which when decoded, has another meta refresh tag to a PHP script called login.php. For those not familiar with an iframe – it can be used to pull in another URL and display it as if it was on that page. By default an iframe has scroll bars and creates a very small window – but our scammers used some CSS to make this iframe show only its intended content – our login form. If you were a user who had opened this file, you would end up on a page, with an iframe you can’t see, and inside of it the content of login.php. This would all happen immediately so you would not necessarily realise that you were being redirected to a login form.
Because the login file is a PHP script, I am unable see its contents – but we can assume at this point that it is used to steal our information. Upon entering the URL of the login.php script (with my anti-virus enabled) I was presented with something that looked very familiar:
Because I use Google services often I immediately realised that this is definitely not what Google’s login page looks like. For starters, I don’t think Sundar would be ok with the dropdown not lining up with the input boxes. Using HTML and CSS the scammers were able to (almost) replicate Google’s login form. Anyone who knows basic HTML and CSS can achieve this; and many scammers are able to make an exact replica of a login form. To the untrained eye this looks very close to the real thing, and if you didn’t know any better you would think that you are being asked to sign in so that you can view the attachment from A Trusted Company.
While inspecting the code I could not see where this form was sending your information to, but I did notice that it was using Spry assets which is native to Dreamweaver. Also; the CSS was messy and the ultimate giveaway was that this form was sitting within an iframe.
I then entered some random details (explicit@email.com) to test the form. There was no validation, I could enter any text into the email field and it would accept it. Upon clicking “sign in” I got redirected to something that looks like Google’s validation page:
The first giveaway is that this is Google’s old logo. There is no way Google would let this one slip. The second problem is that it is asking you for either a recovery email address or a telephone number. They would most likely use this information to let you know that your uncle has passed and had left you a million dollars. Once you enter some more random details; you get redirected to a website that contains a document called “Introduction to business management”. Perhaps this was a tongue in cheek message from the scammers to tell you that you have been owned; as by now they most likely have your details.
Often scams like these would save your information to a text file; another thing that is really easy to do with something like PHP. They could even be using mail() to send themselves an email with your information. These scammers are clever and will most likely change your password and lock you out of your account within minutes.
To conclude
Ultimately there will always be someone trying to steal your stuff; whether its your personal information or your Pokemon Go password. The only defence is to stay vigilant and know what to look for. Knowing how these scams work will help you identify them – but just don’t tell your family or they might send all their emails to you to check.
