Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com

From aldeid
Jump to navigation Jump to search

Description

I'm always curious about phishing campaigns... This one is about fake Apple emails asking sensitive information (banking and personal) to complete their inventory...

Email

What we have from the initial email:

Mailing-com.png

Fake-apple-email.png

Redirection to the phishing website

Cossuauto.png

The website itself (www.cossuauto.nl) seems legtimate and related to cars. Attackers have probably found a vulnerability on the website and have left a config.php file on it to perform the redirection to their phishing website:

$ nc www.cossuauto.nl 80
GET /config.php HTTP/1.1
Host: www.cossuauto.nl

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Server: PCX/No-Cache
Transfer-Encoding: chunked
Date: Wed, 13 Nov 2013 12:29:37 GMT
Age: 0
Connection: keep-alive
X-Cache-Hit: No
X-Cache: 1615577306

007f
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://support.apple.com.fr.retail.ipad.verification2013.personalsetup.dalatgap.com">
0

The domain (support.apple.com.fr.retail.ipad.verification2013.personalsetup.dalatgap.com) seems not to have a poor reputation:

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-reputation.png

...though identified as a phishing site by Google Chrome:

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-phishing-google-chrome.png

First form: credit card information

As for many phishing websites, the page is composed of images instead of real menus and links, and a form:

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-form1.png

The webpage imports JQuery libraries to check user inputs:

<script src="images/jquery.js" type="text/javascript"></script>
<script src="images/validate.js" type="text/javascript"></script>

and obfuscates the part of the code that is the field description/controls:

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-form1-obfuscation.png

Once deobfuscated, the code becomes:

//document.write (s)  <SCRIPT type="text/javascript">
 $(document).ready(function () {
     $("#cmxform").validate({
         rules: {
             ccn: {
                 required: true,
                 creditcard: true,
                 number: true,
                 maxlength: 16,
                 minlength: 16,
             },
             ExpMonth: {
                 required: true,
                 number: true,
             },
             ExpYear: {
                 required: true,
                 number: true,
             },
             cvv: {
                 required: true,
                 number: true,
                 maxlength: 4,
                 minlength: 3,
             },
         },
         messages: {
             ccn: {
                 required: "Veuillez entrer le numero valide de votre carte de credit!",
                 maxlength: "16 numros ",
                 minlength: "16 numros ",
             },
             ExpMonth: "Entrez date de fin de validit ",
             ExpYear: "Entrez date de fin de validit ",
             cvv: {
                 required: "Veuillez entre le cryptogramme visuel de votre carte de credit CVV2",
                 maxlength: "3 numros ",
                 minlength: "3 numros ",
             },
         }
     });
 }); < /SCRIPT>

The form ensures that the credit card number is valid (based on http://jqueryvalidation.org/creditcard-method).

Second form: personal information

Once the first form is submitted, you're redirected to a second form, asking for personal information (last name, first name, birthdate, address, city, postal code, phone number).

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-form2.png

  • Notice that the phone number is required though indicated as an optional data in the form :)
  • The form makes use of the same obfuscation mechanism as for the previous form
  • There is a typo on the "code postale" field (there is no "e")

Third form: banking information

The third form asks for banking information and a password:

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-form3.png

  • This page does not obfuscate the form controls
  • There is a predefined list of 4 choices for the secret question:

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-form3-secret-question.png

Fourth form: email address and password

The last form is asking for the email address along with a password. It is not precised what the password should correspond to but I guess it should be your email password :)

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-form4.png

Confirmation and redirection to Apple's website

Once the previous form submitted, you're displayed a confirmation message (with a lot of typos) before being redirected to the Apple's website.

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-confirmation.png

Support-apple-com-fr-retail-ipad-verification2013-personalsetup-dalatgap-com-apple-final-stage.png

Comments