Skip to content →

Davide Cioccia Posts

Phishing Attack #2 – TIM – WIND phishing attack analysis

Phishing attacks are becoming more and more accurate and well-done thanks to the huge numbers of website that accept payments via CC (Credit Card). Telco operators are one of the favorites target of cybercriminal because of the amount of financial data required to activate a plan, top up your credit or buy a new phone online. Italian Telco operators TIM and WIND are not new of these attacks. Below a brief analysis of the clone-kit (ready to use kit uploaded by criminals to easily create a phishing website in a few seconds).

The email received by the target is showed below

Screen Shot 2016-05-14 at 7.53.56 PM

Clicking on the link the websites shows the form to fill to recharge your phone and have 50 euros for free.

Screen Shot 2016-05-14 at 7.54.06 PM

Going deeper, and analyzing the URL it’s possible to retrieve more informations and see that the server presents several holes to hack into it. Found! The clone-kit is still there.Let’s have a look on it.


Screen Shot 2016-05-14 at 8.02.37 PM


The kit is composed by many files,but the logic is inside the .php files:

  • best.php
  • secure.php
  • done.php


best.php is the first one who is responsible to generate the random URL viewed by the user.

Screen Shot 2016-05-14 at 8.06.28 PM

secure.php is responsible to save the collected informations like:

  • phone number
  • CC number
  • CCV
  • Expiration date

And to show the Verified by Visa PIN request to authorize the payments.
Screen Shot 2016-05-14 at 8.09.35 PM

The informations are still inside the page, ready to be sent to the last file “done.php”
Screen Shot 2016-05-14 at 8.12.15 PM

The code shows that the PIN is acquired and sent to the next page done.php, responsible to save/send the leaked data. As we can see from the code below the data are stored inside an HTML file on the hacked server and sent by email to the “phisher”.


Screen Shot 2016-05-14 at 8.13.32 PM

Reading the file on the web server is possible to retrieve all the victims’ CC data.

The first raw is an example triggered by the attacker to check if everything works fine.

Screen Shot 2016-05-14 at 8.15.08 PMScreen Shot 2016-05-14 at 8.15.08 PM


Be careful. Phishing is the most simple but the must effective attack.








Leave a Comment



CryptoLocker was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin”(Wikipedia)

Infection Process

The CryptoLocker infection process start when the Microsoft Office Word is opened. Microsoft allow users to inject a macro scripting code inside documents, and give the possibility to execute it automatically when the document is opened.

“A macro is a series of commands and actions that help to automate some tasks – effectively a program but usually quite short and simple. However they are created, they need to be executed by some system which interprets the stored commands” (Wikipedia)

Analyzing the documents we received through a suspicious mail we extract the macro inside. The macro used by hackers to infect the machine is a Visual Basic module that is able to create new files inside the TEMP folder and download the real malware from a C&C server through an HTTP GET request. To avoid antivirus detection the malware is represented by a .PNG image containing a VB code inside.

Here is a sample took from the original macro that show how the malware can communicate with his C&C server and how the code is obfuscated.


Many characters are obfuscated (xx) on purpose. The macro we found inside is a VB macro with many functions to hook the malware and download the real .exe from another server.

After the dropper executes the malware the system is encrypting the personal files with public PGP key and storing the private key in the CC server with time bomb.



Leave a Comment


During last few years banks, and different financial institutions, have been trying to protect or prevent fraud and cyber-attacks from accessing their customers’ credentials. They increased security and login factors to avoid these kind of problems. One of these is the Two Factor Authentication (2FA), used to “help” username and password to protect the bank account.

However today, this system is hackable by malicious users. Trend Micros said:

“The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users’ mobile devices via Short Message Service (SMS). Users are expected to enter a session token to activate banking sessions so they can authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure”.

This article is a real User Case of this kind of malicious software. During our recent malware analysis targeting Italian financial institutions, we found a very powerful piece of it that can bypass the 2FA with a malicious app in- stalled on the phone. Malware like this can drive the user to download the fake application on their phone from the official Google Play Store, using a Man in the browser attack (MITB). Once on the user’s PC, the attacker can take full control of the machine and interact with him through a Command and Control (C&C) server. What we explain in this article is a real active botnet with at least 40-compromised zombie hosts.


During the last few days, we are seeing criminals developing more sophisticated solutions and have increasing knowledge in mobile and web programming. This scenario is increasing throughout the en- tire world; though concentrated mostly in Europe. Criminals are developing solutions to bypass the 2FA used by the 90% of banks developing “legal” application published in the Google Play Store and Apple App Store. These applications can steal information on the phone, intercept and send it over the network silently. The last operation named “Operation Emmenthal”, discovered by Trend Micro is acting in just this way. In this section, we will discover how a criminal can force a user to download and install the mobile application.

When malware infects the machine, and the user navigates to the online banking platform, a MITB at- tack starts injecting JavaScript code inside the browser. This injection modifies some data in the page while keeping the same structure. During the navigation the hacked website will invite the user to down- load the fake application, explaining all the steps to insert their bogus data. The app can be downloaded in two different ways:

SMS (inserting your number in the fake form you will receive an SMS with the download link from the store)


Leave a Comment



Another compromised hostname “” is acting like drop-zone for stolen data from eight different Italian banks. The analysis of this drop-zone reveal a custom web application focused for info stealing. They steal a credit card details from the infected users using a phishing attack.


Behind the password protected front-end we reveal a custom-made web application specially designed to store the Credit Card numbers encrypted.

The first page shows a page built whit a JQuery plugin to create AJAX based CRUD tables, where, on the left side there is the list of all the targeted banks and on the right side we have a list of all stolen accounts sent by the malware to this drop-zone.

Schermata 2014-11-15 alle 09.23.35


All saved data are encrypted through a block cypher algorithm (AES). Selecting the row you can see all the encrypted data sent by the malware. Without the right decryption key is impossible to read them. Here a sample.

Schermata 2014-11-15 alle 09.23.51

During the static JavaScript code analysis we found the code to encrypt and decrypt “key” used by hackers. This two functions use two methods declared in the same file called “encipher” and “decipher” that realize the encryption/decryption operation.

Schermata 2014-11-15 alle 09.24.11

To understand what kind of data the hackers steal, we decoded all the client side code in the page. In one of this we found the key used to perform the encryption.

Here we can see how the hackers are using this code to decrypt data directly from the control panel.

As you can see, we marked in red a new hidden function to generate random encryption key and to decrypt the selected data. This functionality is available through a hidden keyboard keys combination (Ctrl+Alt+F) and has been discovered during the static code analysis of obfuscated JavaScript code. Here is a sample of the analyzed code:

One Shot Eight Bank

var key = “b2feba4ede38f4e8f71cf61e1672b37366b6b932ec699ed3a3b5d1e73849e11eda88728240e1d54d074a4c48e2f8baeb 8db47b1ede1”;


Leave a Comment