Who would click that
Like most of humanity, I’ve recieved countless phishing emails over the years. Something like 95% of them can be dismissed immediately. Poor spelling, blatantly incorrect email addresses in the headers, shitty markup, suspicious attachments. I got one the other day regarding an ebay account that I don’t have, but it actually looked good enough that in a moment of weakness, I nearly clicked on the link. In my defense, I technically did have an ebay account at some point, but it’s not associated with my current email address. I blame this detail for temporarily throwing me off my guard.
I think this is how it happens for most people. You’re checking your email, listening to a podcast or youtube video at the same time, your attention is only like 20% focused on what you’re doing, your brain misfires and by then it’s too late.
This got me wondering though - Where did this link go? I’ve spent my whole life avoiding these things, so what happens if I go ahead with it? Fake login for my credentials? Malware? Some kind of XSS attack? The curiosity is killing me, so lets try it.
Before proceeding though, I feel like I need to emphasize that this is a real malicious site. I’m including the URL (with the parameters obscured to hide my email address) because it seems like the site has already been identified as malicious and is blocked by most browsers. That said, don’t go there.
First off, what’s in the actual markup of the email? Maybe just opening it was the first mistake and I’m already comprimised.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<!--[if !mso]>
<!-->
<meta content="IE=edge" http-equiv="X-UA-Compatible">
<!--<![endif]-->
<meta content="width=device-width, initial-scale=1.0" name="viewport">
<!--[if !mso]>
<!-->
<title> Msg2020 - 5147d0ac</title>
</head>
<body style="margin: 0px; padding: 0px; font-family: " Nunito Sans" , sans-serif; -webkit-font-smoothing: antialiased; background-color: rgb(250, 250, 250); text-align: center; cursor: auto; ">
<div style="display:none !important; opacity:0; color:transparent; mso-hide:all; max-height:0px; overflow:hidden; "> </div>
<table align="center" style="border-spacing: 0; border: 0; width: 100%; max-width: 800px; margin: 0 auto; padding-bottom: 50px; padding-top: 30px; background-color: #FFF; border-left: 1px solid #E6E6E6; border-right: 1px solid #E6E6E6; " cellspacing="0" cellpadding="0" width="800">
<tbody>
<tr>
<td align="center" style="padding: 14px 0 5px;"> <a href="http://donnybridgen.ca/wordpress/L13d09gbeebg99dd6/?eby=usa&mur=bWVAbXllbWFpbGFkZHJlc3MuY29tCg==" style="text-decoration: none; font-family:'Nunito Sans',sans-serif; font-weight: bold; font-size: 10px; color: #444; margin:0; ">
View this email in your browser</a> </td>
</tr>
<!-- //LiveIntent Ad -->
<tr>
<td align="center" style="display: inline-block;">
<!-- Article start -->
<table align="center" cellpadding="0" cellspacing="0" style="display: inline-block;">
<tbody>
<tr>
<td align="center" style="display: inline-block;">
<p style="color: #444; font-weight: bold; white-space: nowrap; margin-left: -5px; display: inline-block;"> <span style="font-size: 46.5px; margin-left: -5px; white-space: nowrap; display: inline-block; color:#E5343A;">
e</span> <span style="font-size: 46.5px; margin-left: -5px; white-space: nowrap; display: inline-block; color:#0064D2;">
b</span> <span style="font-size: 46.5px; margin-left: -5px; white-space: nowrap; display: inline-block; color:#F5AF02;">
a</span> <span style="font-size: 46.5px; margin-left: -5px; white-space: nowrap; display: inline-block; color:#86B817;">
y</span> </p>
</td>
</tr>
</tbody>
</table>
<!-- //Article End -->
</td>
</tr>
<!-- Branded Banner End -->
<!-- Prize TOP CTA Start -->
<tr>
<td align="center">
<table align="center" cellpadding="0" cellspacing="0" style="border-spacing: 0;border: 0;width: 100%;table-layout: fixed;-webkit-text-size-adjust: 100%;-ms-text-size-adjust: 100%;margin-top: 30px;">
<tbody>
<tr>
<td align="center">
<h1 style="font-family: 'Nunito Sans', sans-serif;font-size: 20px;font-weight: bold;color: #2d2d2d;line-height: 1.4;letter-spacing: .01em;text-transform: uppercase;-webkit-font-smoothing: auto;margin-top: 0;max-width: 500px; padding-left: 25px; padding-right: 25px;">
[email protected], you have 1 unread security message</h1> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td align="center" style="">
<!-- Article start -->
<table align="center" cellpadding="0" cellspacing="0" style="border-spacing: 0;border: 0;width: 100%;table-layout: fixed;-webkit-text-size-adjust: 100%;-ms-text-size-adjust: 100%;margin-bottom: 50px;">
<tbody>
<tr> </tr>
<tr>
<td align="center">
<table align="center" cellpadding="0" cellspacing="0" style="background-color:#8600A1;border-radius: 0px;width: 180px;padding-bottom: 15px;padding-top: 17px;cursor: pointer;">
<tbody>
<tr>
<td align="center"> <a href="http://donnybridgen.ca/wordpress/L13d09gbeebg99dd6/?eby=usa&mur=bWVAbXllbWFpbGFkZHJlc3MuY29tCg==" style="text-decoration: none;color: #FFF;text-transform: uppercase;font-size: 20px;font-weight: bold;">
Start here
</a> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<tr>
<td align="center">
<h1 style="font-size: 20px;font-weight: bold;color: #2d2d2d;line-height: 1.4;letter-spacing: .01em;text-transform: uppercase;-webkit-font-smoothing: auto;margin-bottom: 30px;margin-top: 0;max-width: 500px; padding-left: 25px; padding-right: 25px;">
© eBay 2021</h1> </td>
</tr>
<!-- //Article End -->
</td>
</tr>
</tbody>
</table>
<!-- Footer Start -->
<table bgcolor="#FFFFFF" width="600" cellspacing="0" style="border-spacing: 0; border: 0; background-color:#FFFFFF; width: 100%; table-layout: fixed; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; max-width: 600px; font-size: 10px; color: #2F3336; padding-left:20px; padding-right:20px; line-height: 2; " cellpadding="0" align="center" class="wrapper">
<tbody>
<tr>
<td style="padding:20px 0; ">
<table border="0" cellspacing="0" width="100%" cellpadding="0">
<tbody>
<tr>
<td align="center" style="font-size: 10px; color: #2F3336; line-height: 2; font-family: 'Nunito Sans', sans-serif; " class="ui-droppable"> This message was intended for <a href="mailto:[email protected]" style="text-decoration: none;color: #2F3336;border-bottom: 1px solid #2F3336;" target="_blank">
[email protected]</a> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</body>
</html>
I ran it through a formatter because the indentation was hideous, so hopefully it’s a bit more readable now. The markup itself seems pretty harmless. I didn’t notice a script tag to be found, so I’m not too worried that I have something malicious running on my computer, at least not yet. The comments in the code strike me as odd. They make it look like a template, which made me wonder if this was something that was widely available online that has been customized.
So, the link seems to be going here: http://donnybridgen.ca/wordpress/L13d09gbeebg99dd6/?eby=usa&mur=bWVAbXllbWFpbGFkZHJlc3MuY29tCg==
Who owns this domain?
kali@kali:~$ whois donnybridgen.ca
Domain Name: donnybridgen.ca
Registrar WHOIS Server: whois.ca.fury.ca
Registrar URL: www.easydns.ca
Updated Date: 2020-04-02T17:09:50Z
Creation Date: 2014-03-18T18:01:02Z
Registry Expiry Date: 2023-03-18T18:01:02Z
Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Name Server: ns1.linode.com
Name Server: ns2.linode.com
Name Server: ns3.linode.com
Name Server: ns4.linode.com
Name Server: ns5.linode.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2021-06-26T16:38:33Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
%
% Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal
% Notice, available at http://www.cira.ca/legal-notice/?lang=en
%
I edited out most of the whois output because the majority was REDACTED FOR PRIVACY, but we can see that the domain was registered quite a while ago. Either this is a very well established front for phishing, or the owner has lapsed on providing maintenance and allowed it to be become comprimised. The “wordpress” in the URL makes me think it’s the latter, but I’m no expert in how criminals run their phishing operations.
The mur parameter appears to be my email address in base64. I’m guessing the eby=usa is something that will tell the phishing site on the other end what it’s trying to fake. I’m too paranoid to click it directly and risk my desktop, so lets try to use curl on a VPS I have to fetch the content.
kali@kali:~$ curl http://donnybridgen.ca/wordpress/L13d09gbeebg99dd6/?eby=usa&mur=bWVAbXllbWFpbGFkZHJlc3MuY29tCg==
[1] 3200885
kali@kali:~$ <html><meta name='referrer' content='no-referrer'><meta http-equiv='refresh' content='0;url=https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwinzqCrk-TsAhUHkRQKHaieDScQFjAEegQIBxAC&url=https%3A%2F%2Fwww.ebay.com%2F&usg=AOvVaw2IUWs7JZelxpS-zydrZoSX'>
This is interesting. Why is google in this URL and what the hell does it do? Lets try fetching it.
kali@kali:~$ curl 'https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwinzqCrk-TsAhUHkRQKHaieDScQFjAEegQIBxAC&url=https%3A%2F%2Fwww.ebay.com%2F&usg=AOvVaw2IUWs7JZelxpS-zydrZoSX'
<html lang="de"> <head> <script nonce="djHW2g29G+G9pktgqeyQ8Q==">window.google = {};(function(){
var e=function(b,d){this.g=d===c?b:""};e.prototype.h=!0;e.prototype.toString=function(){return this.g.toString()};var f=/^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))/i,c={};google.navigateTo=function(b,d,a){b!=d&&b.google?b.google.r&&(b.google.r=0,b=b.location,a instanceof e||a instanceof e||(a="object"==typeof a&&a.h?a.g.toString():String(a),f.test(a)||(a="about:invalid#zClosurez"),a=new e(a,c)),b.href=a instanceof e&&a.constructor===e?a.g:"type_error:SafeUrl",d.location.replace("about:blank")):d.location.replace(a)};}).call(this);(function(){var redirectUrl='https://www.ebay.com/';google.navigateTo(parent,window,redirectUrl);})();</script> <noscript> <meta content="0;url=https://www.ebay.com/" http-equiv="refresh"> </noscript> </head> </html>
Well, it’s a little hard to read, but it seems like this is google redirecting us to the real ebay site. This is apparently a service google provides that I had no idea existed. Can this be abused? Apparently. While doing some research as to what this was, I stumbled across this interesting article: https://nakedsecurity.sophos.com/2020/05/15/how-scammers-abuse-google-searchs-open-redirect-feature/
Still though, why are we being directed to the actual ebay site? That’s kind of an odd scam.
Lets assume that this is some kind of protection mechanism. Curl sends its own user agent by default. Maybe the site on the other end is looking for a particular target and tries to hide itself by redirecting to the real ebay when it doesn’t recognize the user agent? Lets trying using an MS Edge UA.
kali@kali:~$ curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.59" 'http://donnybridgen.ca/wordpress/L13d09gbeebg99dd6/?eby=usa&mur=bWVAbXllbWFpbGFkZHJlc3MuY29tCg=='
<!DOCTYPE>
<html lang="en" class="font-marketsans">
<head>
<link href="A6bb805ed88486947.ico" rel="icon">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title> eBay - Log-In - 1a32c645</title>
<style>
.font-marketsans body {
font-family: "Market Sans", Arial, sans-serif;
}
</style>
<link href="Ng6502e2gf8398h3g/Z9403838261h9d88c.css" rel="stylesheet" type="text/css">
<link rel="stylesheet" href="Ng6502e2gf8398h3g/Wcb73b7b65029fc52.css">
<style type="text/css">
<style> #glance_stop_btn.insession:before {
content: "Stop Sharing";
}
#start-cobrowse {
background: none!important;
color: #0654ba;
border: none;
padding: 0!important;
font: inherit;
border-bottom: 1px solid #0654ba;
cursor: pointer;
}
</style>
</style>
</head>
<body class="ds6">
<div tabindex="-1" id="gh-gb"> </div>
<div class="ds6-header">
<div class="global-header">
<div class="gh-acc-exp-div gh-hide-if-nocss"> </div>
<!--[if>
<div class="gh-pre-js gh-w gh-flex gh-minH gh-IE8" id="gh" role="banner">
<![endif]-->
<header role="banner" class="gh-w gh-minH gh-pre-js gh-flex" id="gh">
<table class="gh-tbl">
<tbody>
<tr>
<td class="gh-td">
<a _sp="m570.l2586" id="gh-la" href="#"> <img id="gh-logo" width="250" height="200" src="Ng6502e2gf8398h3g/E8ed43682828dg07g.png" role="presentation" style="clip:rect(47px, 118px, 95px, 0px); position:absolute; top:-47px; left:0;" alt=""> </a>
</td>
</tr>
</tbody>
</table>
<!--[if>
</div>
<![endif]-->
</header>
<div id="widgets-placeholder" class="widgets-placeholder"> </div>
</div>
<div class="W2091ecc91d8218ef320cf"> </div>
</div>
<div id="mainContent" class="offscr" role="main" tabindex="-1"> Welcome to eBay</div>
<div id="wrapper">
<div>
<div class="L1c2f06c98d3c36488f9"> </div>
<div id="signinContainer" class="">
<div class="signin-card ds6-card">
<h1 style="display: none;">
Welcome to seBay SignIn
</h1>
<form method="post" name="SignInForm" autocomplete="on" id="SignInForm" action="?eby=1">
<input type="hidden" name="toka" value="e30588fefaca6a127e55aa17f87fbb29">
<input type="hidden" name="usuariorec" value="[email protected]
">
<div tabindex="-1" class="false dontFill" id="welcomeNoteContainer">
<h1 class="ds6">
<span id="GREET-HELLO" class="ds6 heading">
Hello</span>
<span class="heading ds6 " style="color: blue;" id="GREET-WELCOME">
Welcome to eBay</span>
<br>
<span id="" class="sub-heading ds6" style="font-size: 17px; line-height: 20px; color: black;">
Your account has been deactivated due to <strong>
inactivity or incorrect user information.</strong>
<br>
<br>
In order to re-activate your account please sign-in.<br>
<br>
<strong>
Click below to start. </strong>
</span>
</h1> </div>
<div class="W4554662926cb01d4bd8d9">
<button id="sgnBt" type="submit" class="btn btn--fluid btn--primary btn--large"> Activate now</button>
</div>
<div id="StaySignedInContainer">
<div id="kmsiText1" aria-live="polite"> <span>
<span id="kmsiT1">
Simply sign-in to activate your account.<br>
No further action needed. </span> <a id="signinanch1" aria-expanded="false" role="button" data-marko="{"onclick":"handleLearnMore s0-14-5-40","onkeypress":"handleLearnMoreKeyPress s0-14-5-40"}" class="learnMoreLink" href="#" aria-label="Learn more about stay signed in checkbox." aria-controls="hlp1">
Learn more</a> </span>
</div>
</div>
</div>
</form>
</div>
</div>
<!--$marko-->
</div>
<div class="J51ffbd03735d723cb"> </div>
<div> </div>
<div style="clear: both;"> </div>
</div>
<div id="atf-bottom" style="display:none;"> </div>
<div class="global-footer">
<div class="wrap">
<!--[if>
<div id="glbfooter" class="gh-w gh-flex" role="contentinfo">
<![endif]-->
<footer class="gh-flex gh-w" id="glbfooter" role="contentinfo">
<div>
<div id="rtm_html_1650"> </div>
<div id="rtm_html_1651"> </div>
</div>
<h2 class="gh-ar-hdn">
Additional site navigation</h2>
<div id="gf-t-box">
<table class="gf-t">
<tbody>
<tr valign="top">
<td class="gf-legal"> Copyright ©1995-2020; eBay Inc. All Rights Reserved. <a href="#">
Accessibility</a> , <a href="#">
User Agreement</a> , <a href="#">
Privacy</a> , <a href="#">
Cookies</a> and <a href="#" id="gf-AdChoice">
AdChoice</a> </td>
<td nowrap="" align="center">
<a href="#" rel="noreferrer" title="Verify site's SSL certificate"> <i id="gf-norton">
Norton Secured - powered by Verisign</i> </a>
</td>
</tr>
</tbody>
</table>
</div>
<!--[if>
</div>
<![endif]-->
</footer>
</div>
</div>
</body>
</html>
Now we’ve hit pay dirt. It appears that once the backend sees a user agent it recognizes, we’re told that our account has been disabled due to inactivity and all we need to do is sign in, no other actions are required. How convenient.
I guess I could try putting in some fake credentials to see what will happen, but I feel like we’ve pushed this as far as we need to. It turned out to be a simple scheme to grab credentials, but it was still fun to play around with and see how it worked.