I'm always curious about phishing campaigns... This one is about fake Apple emails asking sensitive information (banking and personal) to complete their inventory...
What we have from the initial email:
- It is sent from [email protected]
- the link points to http://www.cossuauto.nl/config.php
Redirection to the phishing website
The website itself (www.cossuauto.nl) seems legtimate and related to cars. Attackers have probably found a vulnerability on the website and have left a config.php file on it to perform the redirection to their phishing website:
$ nc www.cossuauto.nl 80 GET /config.php HTTP/1.1 Host: www.cossuauto.nl HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/html Server: PCX/No-Cache Transfer-Encoding: chunked Date: Wed, 13 Nov 2013 12:29:37 GMT Age: 0 Connection: keep-alive X-Cache-Hit: No X-Cache: 1615577306 007f <META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://support.apple.com.fr.retail.ipad.verification2013.personalsetup.dalatgap.com"> 0
The domain (support.apple.com.fr.retail.ipad.verification2013.personalsetup.dalatgap.com) seems not to have a poor reputation:
...though identified as a phishing site by Google Chrome:
First form: credit card information
As for many phishing websites, the page is composed of images instead of real menus and links, and a form:
The webpage imports JQuery libraries to check user inputs:
and obfuscates the part of the code that is the field description/controls:
Once deobfuscated, the code becomes:
The form ensures that the credit card number is valid (based on http://jqueryvalidation.org/creditcard-method).
Second form: personal information
Once the first form is submitted, you're redirected to a second form, asking for personal information (last name, first name, birthdate, address, city, postal code, phone number).
- Notice that the phone number is required though indicated as an optional data in the form :)
- The form makes use of the same obfuscation mechanism as for the previous form
- There is a typo on the "code postale" field (there is no "e")
Third form: banking information
The third form asks for banking information and a password:
- This page does not obfuscate the form controls
- There is a predefined list of 4 choices for the secret question:
Fourth form: email address and password
The last form is asking for the email address along with a password. It is not precised what the password should correspond to but I guess it should be your email password :)
Confirmation and redirection to Apple's website
Once the previous form submitted, you're displayed a confirmation message (with a lot of typos) before being redirected to the Apple's website.