Anatomy of a Phish - NABbing Users One Email at a Time

September 12, 2016
Proofpoint Staff

Phishing attacks have come a long way from the Nigerian 419 scams that introduced many of us to the concept of phishing in the 1990s. While early scams were largely focused on tricking recipients into sending a small fee in advance of a large payment that would never appear, modern phishing attacks more frequently go after login credentials for online banking or services like Dropbox and Google Apps. At the same time, the attacks often use social engineering and sophisticated coding to make them harder to detect and more likely to trick recipients into divulging credentials or other personal information.

Proofpoint researchers recently identified one such attack on customers of the National Australia Bank (NAB). While Proofpoint services were able to detect and block emails in this campaign, to the naked eye, the emails and linked phishing sites were quite difficult to distinguish from legitimate bank communications.

In this case, customers received emails with the subject "Yοur NAB accοunt requires an additiοnal verificatiοn". The content of the email was designed to trick recipients into opening an HTML attachment to verify the login credentials for an account that might be suspended. Figure 1 shows a sample of the emails in this campaign.

fig-1_0.png

Figure 1: Sample phishing email from the recent NAB campaign

Even though text of the message looks legitimate, the letter "o" of the text was substituted with the Greek Unicode letter ο, which also looks like "o" to avoid detection by anti-spam filters. A hexadecimal view of the first sentence in the email shows the substitution:

Yοur NAB accοunt requires an additiοnal verificatiοn.

Additional investigation showed that the email originated from an IP address located in Spain:

fig-2a.png

fig-2b.png

Figure 2: Geo-location of the sending IP address

The HTML attachment is a fake "NAB Defence" message about security measures to fight fraud with an embedded link to "verify" account ownership

fig-3_0.png

Figure 3: Fake "NAB Defence" message in the HTML attachment using stolen NAB branding

Looking at source code of HTML attachment, clicking on the link as instructed should open the actual NAB page at hxxp[:]//ib[.]nab[.]com[.]au/nabib/update[.]jspx as shown in Figure 4.

fig-4.png

Figure 4: Source code of HTML attachment with link to a legitimate NAB page

However, the anchor tag also includes an onclick attribute which calls the OpenNewTab(1) function. This function would normally be located in a JavaScript external document as there is no JavaScript in the HTML file. The only reference to external JavaScript is located in a <head> tag and points to jquery-2.2.3.min.js. This file should load a jQuery hosted library, but is located on a suspicious and likely compromised website (hxxp://umbrellacosmetics[.]ba).

fig-5.png

Figure 5: Reference to external JavaScript in HTML attachment

The source of jquery-2.2.3.min.js contains the OpenNewTab(id) function which calls thedocument.location method with base64 encoded content:

fig-6.png

Figure 6: External JavaScript fragment hosted on a suspicious external website

In general, a legitimate jQuery library with this function would normally be located at following address: http://code.jquery.com/jquery-1.7.2.min[.]js

Decoding the base64 content shown in Figure 6 results in following string (you can read more about obfuscation techniques like this in the paper "Hiding in Plain Sight - Obfuscation Techniques in Phishing Attacks"):

fig-7.png

Figure 7: Decoded base64 string

Therefore, clicking the "Click here" link opens the following fake login page in which the recipient can provide account details:

fig-8.png

Figure 8: Fake NAB login page

At a glance, the address appearing in the address bar looks like a legitimate URL for NAB: "data:text/html;hxxp://ib[.]nab[.]com[.]au/nabib/update[.]jsp;base64,PHNjcmlwdC". However, the base64 encoding in the URL is actually hiding suspicious code.

When we view the source code for fake login page, we can see JavaScript that calls thedocument.write method and unescape function to decode content.

fig-9.png

Figure 9: Source code fragment for the fake login page

Unescaped content will result in HTML with NAB Internet Banking with two <frame> tags that also point to compromised websites hosting phishing forms to collect users data.

fig-10.png

Figure 10: Source code of the resulting HTML showing stolen branding and two frame tags with hosted phishing forms

The phish does not stop with login credentials. Rather, once the user provides a username and password, they will be redirected to an additional fraudulent page to provide additional information:

fig-11.png

Figure 11: Fraudulent account information page using stolen bank branding

Only after the user completes this page and clicks Continue will they be redirected to the legitimate National Australia Bank website. In the meantime, the credentials and account information are passed to cybercriminals.

In the face of this kind of attack, users and businesses can no longer rely only on basic anti-phishing technologies or even user education to combat phishing. These attacks are increasingly sophisticated and difficult to tell apart from legitimate emails and alerts due to both the underlying technologies and careful social engineering. Rather, organizations must deploy dynamic anti-phishing solutions to ensure that attacks never reach users who might inadvertently divulge credentials and banking information for personal and corporate accounts.