by Dor Nabet
We’ve all experienced the typical phishing site where the attacker asks that you enter your credentials while the sketchy Microsoft logo on top of the page makes you feel comfortable doing so. Those phishing sites used to be easy to recognize: the simple behind-the-scenes code would reveal the site’s identity, functions, information delivery methods and where the data was being sent to.
Let’s see how the attacker creates an obfuscated redirection site. Sidenote: this task is typically performed using a phishing kit, but we will be looking at the manual process.
That’s not all, however. The attacker will not just send the site’s URL directly to the victim – they would create another site, either with its own domain or with a compromised one, employing multiple functions and loops (usually implemented using base64) to redirect the victim to the actual phishing site. This creates yet another layer of evasion from the detection tools.
Let’s go over this process step by step.
The phishing source site can be something as simple as one function:
When obfuscated, the code becomes unreadable and hard to understand:
Initially, the victim won’t get the original URL but rather a redirecting one: when clicked, it will take the victim to a phishing site. If you encounter a site with similar characteristics, you would be well advised to close it and report the email sender.
The code from the Microsoft site is easily readable and well organized, no weird functions or parameters are found. On an obfuscated site, however, the code is not so easy to interpret. In the example below, note the suspicious var enablebase64 parameter that we know is part of the obfuscation functions and the var redirectUrl parameter of the redirection URL that takes you to the actual phishing site:
Let’s summarize some basic practices that will help you identify a phishing site, stop a potential phishing attack, and stay safe.
- Stop. Do not open links from any sender. Always check the sender’s address and not just what the email subject and title say.
- Observe. You have checked the sender’s email address and it seems okay. Now ask yourself if you are supposed to be getting emails from that sender.
- Suspect. The sender looks legitimate, but you are not sure if you were supposed to receive anything from him or her. STOP. Don’t click. Take a good look at the URL and the site name. Do they look suspicious to you? Is the site name spelled correctly? Does the URL look real and related to the email sender’s domain?
- Interrogate. Everything looks right, but you are not fully convinced. Check the source code and re-read this blog article to identify the possible suspicious code indicators.
Always keep in mind the golden phishing prevention steps: Stop, Observe, Suspect, and Interrogate. If you’ve taken all four, you should be fine. Read this other blog for more tips and additional detail.