Skip to content

Instantly share code, notes, and snippets.

@Siguza
Created February 15, 2018 15:02
Show Gist options
  • Save Siguza/524aebe964ed999b0ca8970798fdea20 to your computer and use it in GitHub Desktop.
Save Siguza/524aebe964ed999b0ca8970798fdea20 to your computer and use it in GitHub Desktop.

Analysing some PayPal phishing

Not long ago I tweeted about some PayPal phishing mails I got, which appeared to use hacked websites for their cause, and of which all traces were gone 24h after my initial recon.
Well, I got another such mail:

Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from linuxhosting09.rediff.com (host152-150.mxout.rediffmailpro.com [119.252.152.150])
	by mail.siguza.net (Postfix) with ESMTPS id E80064A227F9
	for <[email protected]>; Thu, 15 Feb 2018 14:49:32 +0100 (CET)
Received: by linuxhosting09.rediff.com (Postfix, from userid 10025)
	id 745ABCF6D516; Thu, 15 Feb 2018 18:37:17 +0530 (IST)
To: [email protected]
Subject: Account PayPal Notice of New Updates
X-PHP-Originating-Script: 10025:mailerbox1.php(553) : eval()'d code(2) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code
From: Service <[email protected]>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <[email protected]>
Date: Thu, 15 Feb 2018 18:37:17 +0530 (IST)

<html><head></head><body><table style="font-family:'Times New Roman';" cellspacing="0" cellpadding="0" width="600" align="center" border="0"><tbody><tr class="header"><td valign="bottom"><span style="font-size:12px;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;color:rgb(159,159,159);"></span></td>
<td align="right"></td></tr><tr>
  
</svg><tr><td colspan="2">
<h1 style="font-size:24px;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;font-weight:normal;color: rgb(27, 144, 234);padding-bottom:0px;padding-top:10px;padding-left:0px;padding-right:0px;">Update Required</h1>
<p style="font-size:14px;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;line-height:21px">Some information on your account appears to be missing or incorrect. Please update your information promptly so that you can continue to enjoy all the benefits of your PayPal 
account. </p>
<h1 style="font-size:14px;font-family:'Arial Black';color:rgb(84,84,84);line-height:21px">
<b><font face="Franklin Gothic Medium"><br></font>
<a style="color:rgb(27,144,234);" href="http://www.hi5concepts.com/images/Sonos/index.php" target="_blank">
<span style="font-size: 10pt"><font face="Franklin Gothic Medium">Log In To Account
</font></span></a></b></h1></td></tr><tr><td colspan="2">
<div><span style="font-size:15px;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;color:rgb(51,102,204);"></span><br></div>
<p style="font-size: 14px; font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: rgb(84,84,84); line-height: 21px"><br>
<font size="4">Thanks for choosing PayPal,<br style="color:rgb(202,162,0);">PayPal Team</font></td></tr><tr>
		<td height="32" valign="bottom" colspan="2"></td></tr><tr><td colspan="2">
<p style="font-size:12px;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;padding-bottom:0px;padding-top:10px;padding-left:0px;padding-right:0px">© Copyright [+] 1999-2018 PayPal 
Inc. All rights reserved.</p>
<p style="font-size:12px;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;padding-left:0px; padding-right:0px; padding-top:10px; padding-bottom:0px">PayPal Email ID PP45412 - D54DF54C7</p></td></tr></tbody></table></body></html>

Ok, so:

  • [email protected] is almost certainly just bullshit and only indicated a spoofed sender rather than a hacked server.
  • linuxhosting09.rediff.com could just be a regular VPS or something, but that eval()'d code(2) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code seems veeery fishy to me.
  • The MX record for jmenviro.com points to mail.rediffmailpro.com, so [email protected] might just take advantage of shared hosting/mail-service-stuff'ing? The MX records for rediff.com doesn't end up at the same IP as mail.rediffmailpro.com as far as I can see, but the two domains are both owned by "Rediff.com India Ltd.", so it's entirely possible they're interlinked somehow.

Now, onto that link in the mail body. There were two different responses I got, seemingly at random:

$ curl -D- 'http://www.hi5concepts.com/images/Sonos/index.php'
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 15 Feb 2018 14:16:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Host-Header: 192fc2e7e50945beb8231a492d6a8024
X-Proxy-Cache: MISS

<meta http-equiv='refresh' content='0;url=http://krokodylujana.pl/libraries/domit/pp'>
$ curl -D- 'http://www.hi5concepts.com/images/Sonos/index.php'
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 15 Feb 2018 14:16:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Host-Header: 192fc2e7e50945beb8231a492d6a8024
X-Proxy-Cache: MISS

<meta http-equiv='refresh' content='0;url=http://krokodylujana.pl/media/system/swf/paypal'>

The domain hi5concepts.com is registered to an "Alex Vellinga" from Portugal, while krokodylujana.pl belongs to a Consulting Service Sp. z o.o. in Warsaw, Poland. Interestingly enough, both websites respond on port 443, but hi5concepts.com presents an expired Let's Encrypt certificate, while krokodylujana.pl presents a self-signed one for localhost and also just shows "Apache is functioning normally" instead of the website that is served over HTTP.
So you've got two unrelated websites with broken security, but one redirects to the other via a PHP script in an images folder? Seems fucking legit.

Moving on, both URLs first return a 301 Moved Permanently and redirect to the same URL, but with a trailing slash. After that, I observed the same behaviour as last time:

Without a User-Agent header, you get a sort of "fake 404":

$ curl -D- 'http://krokodylujana.pl/libraries/domit/pp/'
HTTP/1.1 200 OK
Date: Thu, 15 Feb 2018 14:25:10 GMT
Server: Apache/2
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=r9vocjel6fvagme3cmeqbjvto7; path=/
Vary: Accept-Encoding,User-Agent
Transfer-Encoding: chunked
Content-Type: text/html

404 NOT FOUND
$ curl -D- 'http://krokodylujana.pl/media/system/swf/paypal/'
HTTP/1.1 200 OK
Date: Thu, 15 Feb 2018 14:25:39 GMT
Server: Apache/2
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ur648r2fetlbq7fogr1csskap3; path=/
Vary: Accept-Encoding,User-Agent
Transfer-Encoding: chunked
Content-Type: text/html

404 NOT FOUND

With a User-Agent however, no matter its contents:

$ curl -D- -H 'User-Agent: Spoderman' 'http://krokodylujana.pl/libraries/domit/pp/'
HTTP/1.1 302 Moved Temporarily
Date: Thu, 15 Feb 2018 14:28:31 GMT
Server: Apache/2
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=0tnntvh6qeb5ottulnkp8sf2g2; path=/
LOCATION: ./customer_center/customer-IDPP00C252
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html

$ curl -D- -H 'User-Agent: Spoderman' 'http://krokodylujana.pl/media/system/swf/paypal/'
HTTP/1.1 302 Moved Temporarily
Date: Thu, 15 Feb 2018 14:29:07 GMT
Server: Apache/2
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=sdmp6bme6c402p70t1s5mvg4q0; path=/
LOCATION: ./customer_center/customer-IDPP00C634
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html

These requests now also seemed to run for a few seconds before returning a result.
Keeping the User-Agent and following the redirects, we are once again redirected to append a slash, and then yet another time to myaccount/signin/ (that part was the same last time):

$ curl -D- -H 'User-Agent: Spoderman' 'http://krokodylujana.pl/libraries/domit/pp/customer_center/customer-IDPP00C252/'
HTTP/1.1 302 Moved Temporarily
Date: Thu, 15 Feb 2018 14:31:16 GMT
Server: Apache/2
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d1j0nb0nca8rpdnb7sfio82a36; path=/
LOCATION: myaccount/signin/?country.x=CH&locale.x=en_CH
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html

Until we finally arrive at:

$ curl -D- -H 'User-Agent: Spoderman' 'http://krokodylujana.pl/libraries/domit/pp/customer_center/customer-IDPP00C252/myaccount/signin/'
HTTP/1.1 200 OK
Date: Thu, 15 Feb 2018 14:31:40 GMT
Server: Apache/2
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=vhmfdrcu6elft0jhc4e2qqcuf7; path=/
Vary: Accept-Encoding,User-Agent
Transfer-Encoding: chunked
Content-Type: text/html

<html id="x_27165674">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <title>Log in to your &#x50;&#x61;&#x79;&#x50;&#x61;&#x6C; Account</title>
	<!------------------------------- FILES CSS STYLE --------------------------------->
    <link rel="stylesheet" href="../../lib/css/L-Z118.css">
	<style>
	.xZ98_456ZTa{
        margin: 0 auto;
        width: 460px;
    }
	.xZ98_ZTAAa{
        -webkit-border-radius: 5px;
        -moz-border-radius: 5px;
        -khtml-border-radius: 5px;
        position: relative;
        margin: 130px auto 0;
        padding: 30px 10% 50px;
        -webkit-border-radius: 5px;
        -moz-border-radius: 5px;
        -khtml-border-radius: 5px;
        border-radius: 5px;
    }
	@media all and (max-width:767px) {
    .xZ98_456ZTa{
        margin-top:30px;
        padding-top:0;
        width:100%;
        background-color:#fff
    }
	.xZ98_ZTAAa{
        margin:0 10%;
        padding:0
       }
    }
	</style>
    <link rel="shortcut icon" type="image/x-icon" href="../../lib/img//favicon.ico">
    <meta name="viewport" content="initial-scale=1.0">
</head>
<body id="8881-xX666Xx-11133"><p style="color: white;">.</p>
	<div for="10405-xMARVELxDCxCOMIC18x-11369" id="_x78ZZ3204297" name="Login">
        <div for="11667-XXIXXX78315870118x-12215" id="_x987ZZ-288381" class="_x78ZZ909016 xZ98_456ZTa _x78ZZ4374837">
            <div id="11743-xMARVELxDCxCOMIC18x-12379" class="_x78ZZ4830095 xZ98_ZTAAa _x78ZZ773526">
			<header>
                <div id="9636-xMARVELxDCxCOMIC18x-12368" class="x_29ID-Z723  kl_h4aXX6987PO x_27ID-Z649 "></div>
            </header>
                <section id="x_22ID-Z590 " class="x_31ID-Z602 ">
                    <form for="10268-xMARVELxDCxCOMIC18x-10739" action="" method="post" class="_x987WW-4956979 _x1989MPZ-126497312" id="I30ID2963241" name="login">
                        <div id="x_34ID-Z729 " class="x_32ID-Z690 xv987HUB x_29ID-Z784 ">
                            <div class="x_G00066XD" id="10881-xMARVELxDCxCOMIC18x-11954">
                                <div class="x_G00066XD" style="z-index: 100;">
                                    <div id="9061-xMARVELxDCxCOMIC18x-9946" class="xMARVELxDCxCOMIC118-C4as3 X66LiL44 x_23ID-Z687 ">
                                        <input for="9635-xMARVELxDCxCOMIC18x-8832" class="x_25ID-Z758 x_Z1186XDD7 x_32ID-Z698 " name="login_email" type="email" placeholder="Email" id="02030I756225371" value="">
                                    </div>
                                    <div id="10087-xMARVELxDCxCOMIC18x-12138" class=" x_23ID-Z548 J118GhosTXRider x_26ID-Z667">
                                        <p>Email address is required.</p>
                                    </div>
                                </div>
                                <div id="11140-xMARVELxDCxCOMIC18x-11130" class="x_30ID-Z674  x_G00066XD x_28ID-Z596 ">
                                    <div id="9322-xMARVELxDCxCOMIC18x-11924" class="xMARVELxDCxCOMIC118-C4as3 X66LiL44">
                                        <input for="10611-xMARVELxDCxCOMIC18x-12227" class="x_Z1186XDD7" name="login_password" type="password" placeholder="Password" id="001X3I1339562726">
                                    </div>
                                    <div id="11252-xMARVELxDCxCOMIC18x-8886" class="x_26ID-Z763 J118GhosTXRider x_26ID-Z607 ">
                                        <p id="9262-xMARVELxDCxCOMIC18x-9135">Password is required.</p>
                                    </div>
                                </div>
                            </div>
                            <div id="11673-xMARVELxDCxCOMIC18x-12042" class="9106-xMARVELxDCxCOMIC188x-11338 o_B4Ads-W4OOXDS">
                                <button for="8810-xMARVELxDCxCOMIC18x-9706" class="xXMARVELxXBut00N" type="submit" id="11192-x666G-11938" name="12078-x968AG-9937">Log In</button>
                            </div>
                            <div id="10396-xMARVELxDCxCOMIC18x-10980" class="x_29ID-Z747 ww_LiZ3b44 x_28ID-Z549 "><a href="#" id="9405-xT00x-10351" class="11675-x660x-11811">Having trouble logging in?</a>
                                <div id="10480-xMARVELxDCxCOMIC18x-11460" class="x_32ID-Z638 " id="x_33ID-Z538 ">
                                </div>
                            </div>
                            <a for="10741-xMARVELxDCxCOMIC18x-11235" href="#" class="x_27ID-Z631 xXMARVELxXBut00N Z0-s6X6s-00" id="10182-s6X6s-10445">Sign Up</a></div>
                    </form>
                </section>
                <br>
            </div>
        </div>
        <div id="10565-xMARVELxDCxCOMIC18x-9247" class="x_26ID-Z672 F4_x666x_F4 x_27ID-Z742 ">
            <p id="12228-xMARVELxDCxCOMIC18x-10321" class="x_32ID-Z668 xT02X65G x_29ID-Z783">Checking your info…</p>
        </div>
    </div>
    <footer id="12365-xMARVELxDCxCOMIC18x-11726" class="x_28ID-Z643 DC_XX98700 x_29ID-Z599 xv987HUB x_33ID-Z638 ">
        <ul>
            <li id="10112-xMARVELxDCxCOMIC18x-9227"><a href="#">Privacy</a></li>
            <li id="8956-xMARVELxDCxCOMIC18x-10746"></li>
            <li id="10380-xMARVELxDCxCOMIC18x-8921"><a href="#">&#x50;&#x61;&#x79;&#x50;&#x61;&#x6C;</a></li>
        </ul>
        <br>
        <ul id="9120-xMARVELxDCxCOMIC18x-10276">
            <li id="11181-xMARVELxDCxCOMIC18x-9637"><a href="#" style="color: #9e9e9e;">Copyright © 1999-2018 &#x50;&#x61;&#x79;&#x50;&#x61;&#x6C;&#x2E;&#x20;&#x41;&#x6C;&#x6C;&#x20;&#x72;&#x69;&#x67;&#x68;&#x74;&#x73;&#x20;&#x72;&#x65;&#x73;&#x65;&#x72;&#x76;&#x65;&#x64;&#x2E;</a></li>
        </ul>
    </footer>
<!------------------------------- FILE JAVASCRIPT --------------------------------->
	<script type="text/javascript" src="../../lib/js/jquery.js"></script>
    <script type="text/javascript">
	$(document).ready(function() {
    $("#I30ID2963241").submit(function(a) {
        a.preventDefault();
        var b = 0;
        $("#02030I756225371").val() || ($("#02030I756225371").parent().next(".J118GhosTXRider").addClass("x87Z-Add1NG"), 
        $("#02030I756225371").addClass("x870AA-Ic0n3"), b = 1), $("#001X3I1339562726").val() || ($("#001X3I1339562726").parent().next(".J118GhosTXRider").addClass("x87Z-Add1NG"), 
        $("#001X3I1339562726").addClass("x870AA-Ic0n3"), $(".WA-MOOOOOY").css("z-index: 100;"), 
        b = 1), 1 != b && ($(".F4_x666x_F4").addClass("pX-X987").fadeIn(800), $(".xT02X65G").delay(0).fadeIn(800),
        setTimeout(function() {
            document.getElementById("I30ID2963241").submit();
        }, 1500));
    }), $("#02030I756225371").focus(function(a) {
        $("#02030I756225371").parent().next(".J118GhosTXRider").removeClass("x87Z-Add1NG");
    }), $("#001X3I1339562726").focus(function(a) {
        $("#001X3I1339562726").parent().next(".J118GhosTXRider").removeClass("x87Z-Add1NG");
    });
});
	</script>
<!------------------------------- FILE JAVASCRIPT --------------------------------->
</body>
</html>

Note how the URLs are all relative, and some things are obfuscated, e.g. &#x50;&#x61;&#x79;&#x50;&#x61;&#x6C; is used for PayPal. The site itself is just a fake PayPal login page that guides you to first provide your account details, followed by your credit card ones.

What now?

Multiple replies I got on twitter suggested the NameCheap subdomain vulnerability could be the cause for this. But we're not looking at subdomains here, we're looking at PHP scripts on suspicious paths hidden behind innocent-looking and likely genuine websites. I'm sharing my findings here hoping to find out how the malicious content gets to those websites. Are they all just hacked? MITM'ed? Is there an infrastructure vulnerability?

I've alerted the involved website operators, but if it's anything like last time, it won't be 24h before all traces of the malicious content are gone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment