Hard on the heels of a surge in PayPal phishing emails meant to steal credentials and install malware on systems, a new phishing scam is in the spawning stages, again using PayPal emails as the lure. An investigation by researchers at Malwarebytes offers a play-by-play view into the machinations of a criminal.
Mails purporting to be from PayPal include a link that takes the user to a fake log-in site, where it asks for an email address, password, date of birth, address and credit card information. In that regard, it’s a fairly standard gambit – but for some reason, the perpetrator had disabled Chrome support for the page.
Intrigued, researchers at the firm decided to check out the source code to identify the origin of the phish, and found that the hacker was using already public code from pastebin.com. They proceeded to monitor and record as the phish was altered over subsequent days, and noted the step-by-step approach the hacker took to transform an existing scam for his own use.
“Something odd happened when I disabled the browser protection to actually view what the site looked like,” explained Jerome Segura, senior security researcher for Malwarebytes, in a blog. “This phishing page would not load if the user was running Google Chrome, instead displaying a generic, ‘Sorry, this website isn’t compatible with Google Chrome.’”
After trying a multitude of user-agents to fake client requests, only Chrome and ChromeBook were getting the error message. Even mobile browsers were serving the page without a hiccup.
“If this was a traffic distribution system (TDS) leading to an exploit kit, it would make sense to avoid wasting everybody’s time since exploits that run on Chrome are just too rare,” Segura said, continuing his investigation. “But a simple phishing page with a standard HTML form should not be an issue that the backend server can’t handle.”
He added, “Google Chrome does have a good anti-phishing filter but again, the hacker would have known that sooner or later most browsers would be blocking the site too.”
After deciding to check out the page’s source code to find some clues to identify the origin of the phish, Segura discovered that the founding code was public and up for grabs. “I was looking for unique strings that could lead to a hit on a Google search or other security-related database,” he said. “It’s always good to see the server side of things (PHP), because html only shows you what is displayed but not necessarily the internals.”
The source code included the Chrome disabling, likely a leftover from a different, specific use that the phishing author simply inherited when he grabbed it off of Pastebin. This was made clear when, a day after the site was originally spotted, researchers noticed a change in the server’s structure that alerted them to customization being performed.
“All of the sudden, the root of the domain was browsable, probably due to an incorrect configuration in the Apache config files, and shows that the author was actively working on it,” Segura said.
Meanwhile, the phishing page itself was being updated to a newer one.
“It looks like the hacker was simply in the process of building his own phishing site by re-using some source code he had found elsewhere and adapting it along the way,” Segura said. “But the next day, the design once again completely changed. This may be the last version the hacker settles on.”
The final result is much more professional and authentic-looking than the first iteration, and uses a smart two-step process for capturing the information instead of asking for it all at once. Once the user fills in the information, everything is sent to a Gmail address. Then, a command logs the victim out of PayPal and then attempts to sign them back in again.
“For this last part to work, you may need to have entered a valid and existing PayPal email address and password,” Segura said. “The goal is to create a seamless experience for the victim that has just been phished and can’t even tell it.”
As always, users of any online service, especially financial ones, should be very careful whenever they log into a site, using only trusted bookmarked pages, typing it in by hand, or via secure and trusted apps.