Researchers Find Phishing Site Encrypted with AES

[Exterminator]

Scammers chasing Apple credentials and payment card information have ramped up their efforts to hide their phishing page by encrypting it with AES.

Researchers at Ring 0 Labs disclosed details about the operation last week, pointing out that the criminals behind this activity are buffering a fairly weak email campaign with a technique adept at side-stepping website scanners and reputation services that might flag the site as malicious.

“This technique uses AES encryption instead of B64 or simple XOR routines write new content to the page at load time,” said a Ring 0 Labs representative in an email to Threatpost. “Since this is a newer technique, it can be fairly effective at avoiding scanning services and crawlers that aim to detect these types of sites. But like anything, these services will surely catch on to this technique and adapt accordingly.”

It’s unknown how widespread this campaign is; Ring 0 Labs said a sample of the phishing email was submitted anonymously. The use of AES in this manner is a first, Ring 0 Labs said.

“Encrypting the page isn’t very different than Base64 encoding the contents of the page and using an eval statement to write a new DOM tree at load time,” Ring 0 Labs said. “While this encryption technique is very cool to me (simply because I haven’t seen it in the wild before), URL scanning services will surely catch on to this emerging technique and modify their scanning techniques to detect this activity.”

The email sample entices the victim to open an attachment with a message about a recent purchase made through Apple. The attachment purports to be a receipt from Apple sent as a Microsoft Office PowerPoint document. Ring 0 Labs’ analysis shows there are two URLs shortened using the Twitter and bit.ly shortening services. One of the shortened URLs, done so with Twitter’s service, resolves to another site shortened with the bit.ly service before ultimately redirecting to the phishing site.

“The email itself is not very convincing. The user who submitted the file stated that the original email text was poorly written English,” Ring 0 Labs said. “The email also claimed to be from Apple and stated that the user’s ‘receipt’ is in the attached PowerPoint document. This is obviously very odd behavior.

“The contents of the PowerPoint document looked like a semi-legitimate receipt from Apple (and all the math added up correctly I believe.) The real convincing part is the website design. It is spot on for color, grammar, and layout and appears to be a real Apple portal.”

The site is not only convincing, but it’s contained within a single variable that is AES encrypted, Ring 0 Labs said. The page is decrypted as it loads a function called AES.Ctr.decrypt; this allows the page to bypass signature scanning services, the researchers said.

Ring 0 Labs said it believes the AES encryption helps the phishing site avoid automated reputation crawlers that scan pages for malicious content and essentially blacklist these sites.

“By using this AES encryption technique the site is able to remain hidden for a little longer without detection by these systems,” Ring 0 Labs said in its report. “There are numerous techniques to obfuscate webpages with JavaScript and other methods. I have seen a ton of these techniques, but this just happens to be one that I have not seen before.”

The phishing site asks the victim to log in with their Apple credentials and then presents a message to the user that their account is locked and additional information is required to retrieve the account. The victim then is asked a number of questions whose intent is to retrieve personal information before asking for payment card information.

 

[Wingman]

Seen this quite a bit on banking related phishing links. Since the AES decrypion function is also called on the same page and it is publicly available it is really easy to decrypt and reveal the true content via using tools such as jsdetox etc