Dissecting a Phishing Campaign with a Captcha-based URL

In today’s environment, much of the population are doing their banking or financial transactions online with online banking and wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts that uses a captcha to avoid detection.

The email header contains an alarming subject and the From: address is a spoofed PayPal-like domain.

The Message-Id is also highly suspicious as it uses web hosting site DreamHost which is not related to PayPal.

The body of the email explains that there is a report of an unauthorized activity linked to the PayPal account that has caused PayPal to limit use of the account.

At the end of the email body, it asks the victim to log-in to their Paypal account with a clickable link that leads to a phishing site hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/

Upon clicking the link in the email, the browser is redirected to an initial page that uses a captcha before proceeding to the final phishing page.

Looking at the source-code of the phishing captcha page, it was inserted with French folklore ‘Bluebeard’ to make the code longer and not get easily detected.

Moreover, the captcha checking in the phishing page is done in the script ‘signin.js’.

This JavaScript file contains several functions dedicated to captcha checking that includes using predefined math methods for checking the length of the string and character matching of the captcha or even to produce a new captcha.

Finally, there is a malicious ‘xscex.js’ that is responsible for the captcha submission.

The id ‘xyssubmitsecx’ under the button tag will trigger the execution of the ‘xscex.js’ which eventually redirects to the actual PayPal phishing site. The button tag also has a value that contains German words “Ich bin kein Roboter” and when translated in English means “I am not a robot”.

Using the Fiddler tool, we can also see the exact resource URL of the malicious js file.

Once the correct captcha has been entered, it will proceed to the final phishing URL redirection that uses the same domain, yet a different path:

hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/app/signin

Looking closer at the source-code of the actual “log-in” page of PayPal phishing site, we see it also contains some useless salad words. Interestingly, the code indicates an author named ‘morpheous’. We can also see a hex value at the top or beginning of the source-code of the redirected page.

Upon further analysis, we found another file ‘xappx.css’ that checks for hex value in the content of a file that serves as an indicator if the character input or log-in was a success or failure.

Complete infection chain:

hxxps://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/

 ->  https://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/index

                ->  https://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/captcha

                                -> hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/app/signin

Upon investigating the domain hxxps://mbj[.]unimap[.]edu[.]my/, we found that it is a compromised blog site. Using a compromised URLs is a common technique in phishing attacks.

At the time of analysis, we saw about a dozen samples of the PayPal phishing email that contains the same email subject “Your PayPal account is temporarily limited” and contains links to the captcha-based phishing pages. A large number of samples were seen in January and another one sample was spotted in February.

To wrap up, this analysis outlines an example of captcha-based phishing. While using captcha in phishing is not new, there has been a recent uptick in its use. The phishers are gravitating towards captchas to avoid automated phishing page discovery tools. While Trustwave MailMarshal defends against this phishing campaign, this type of obfuscation and evasion to prevent detection has a long tradition among cybercriminals. This is why “defense in depth” and layered security controls are essential.

In the end, our last line of defense is often the user behind the keyboard, which is why ongoing Security Awareness training that includes phishing identification is an essential component for any information security program.