An Innovative Phishing Style

A few weeks ago, I added one of the many scammers trying to phish people on Steam. Usually, I block them after they drop their phishing website link but this particular website was pretty innovative (at least for me) in its attempt.

The chat seemed straightforward, the scammer wanted to give me an obviously profitable trade (they did keep trying to get me to add them on Discord for some reason). Near the end of the “trade” discussion, they asked me to log in to a convenient Steam backpack pricing website so they could get an idea of how much my stuff was worth.

The site in question was our fancy phishing website, https://tradeit.cash The website was essentially a copy of a legitimate Steam trading website, https://skins.cash.

tradeit.cash Screenshot

skins.cash Screenshot (Good on them for the warning!

The website was hosted nicely on CloudFlare and the domain name registered with Namecheap. They even opted for the CloudFlare certificate! No room for corner cutters in this phish market.

Now, on to the trick. The site had a little JS chunk which would open up a pop up saying that the server is under high load and asking you to login with Steam to access the site.

chrome_2018-09-29_23-53-05.png

Logging in with Steam launches a pop up opening the Steam website so you can authenticate via OpenID.

Login with Steam Pop-up

I was expecting this to be a scam so I was adequately confused looking at the absolutely normal looking pop-up. I tried Chrome DevTools to check out what was happening to make it look so good. Surprisingly, I ran into an anti-debugging script. Definitely not what I expected from a run of the mill phishing website but combined with the curious pop-up, this was looking well built.

I managed to extract and partially deobfuscate some JS which was trapping the debugger but it didn’t seem like the whole thing. I moved on with some good old fashioned viewing page source action… which was a heap more of obfuscated JS.

Almost giving up hope, I accidentally hovered over the Chrome icon in my task bar and just happened to realize that the “pop-up” did not result in two instance of Chrome in the task bar. The whole thing was just a drawn up window inside the phishing website! They had even made some clickable buttons for the Chrome UI elements. This was confirmed by trying to right click on the title bar area of the pop-up, which opened up the right click context menu of a web page instead. Still a mystery to me as to why some page like this would want to add anti-debugging measures though.

Classic phishing detection – Right click the title bar

Definitely a unique phishing website experience for me, but on further googling some of the more interesting strings (“debug322”, mainly [possible 322 reference?]) of the JavaScript code, there were truckloads of such websites which seemed similar but I couldn’t confirm since they weren’t actually live and I was only running into cached versions of the pages. Nevertheless, a fascinating journey.

If anyone is able to deobfuscate and make sense of the JS snippets, I would love to know what they were doing. As far as I could tell, the debugger trap was basically calling the debugger function if it detects a running debugger. The other larger JS block I’m completely clueless about. However, there were a few more fun things in the mix!

Although, the folks had disabled the scam warning you may have noticed in the original skins.cash screenshot from popping up on the phishing website, they didn’t bother to change it to not say skins.cash.

Always check the URL!

Most of the HTML source was directly lifted from skins.cash, but they did change the logo on the top left… by switching to an imgur link!

Not to mention all these other assets generously hosted by Steve (Hi Steve!).

Overwolf_2018-09-29_23-47-22.png

The above domain also just happens to contain a whole host of similar images, probably enough material for another blog post some day.

Update: Turns out this is a pretty well done picture in picture attack. Thanks internet strangers!

Linux (x86) Exploit Development Series

Amazing tutorials for linux exploit development!

sploitF-U-N

First of all I would like to thank phrack articles, its author and other security researchers for teaching me about different exploit techniques, without whom none of the posts would have been possible!! I firmly believe that always original reference articles are the best place to learn stuffs. But at times we may struggle to understand it because it may be not be linear and it may be outdated too. So to the best of my efforts, here I have just simplified and conglomerated different exploit techniques under one roof, inorder to provide a complete understanding about linux exploit development to beginners!! Any questions, corrections and feedbacks are most welcomed!! Now buckle up, lets get started!! I have divided this tutorial series in to three levels:

Level 1: Basic Vulnerabilities

In this level I will introduce basic vulnerability classes and also lets travel back in time, to learn how linux exploit development was carried back…

View original post 183 more words

Exploit Development: Stack Buffer Overflow

A stack buffer overflow occurs when a program writes more data to the stack than what is allocated to the buffer. This results in the extra data overwriting possibly important data in stack and causing the program to crash or to execute arbitrary code by possibly overwriting the instruction pointer and hence being able to redirect the execution flow of the program.

I used Evan’s debugger to demonstrate the buffer overflow on Kali Linux.

Continue reading

Metasploitable 2 Walkthrough: An Exploitation Guide

Metasploitable 2

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network.

As this VM has many vulnerabilities in common with version 1, I will only be covering the newer vulnerabilities on the system. For a comprehensive walkthrough on version 1 of the VM you can check out my previous blog post here.

Continue reading

Metasploitable Walkthrough: An Exploitation Guide

Metasploitable

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software.

You can grab your copy at Vulnhub – Metasploitable

I used Kali Linux for attacking and VirtualBox for virtualization.

Continue reading

Penetration Testing with Kali Linux and the OSCP

Offensive Security, PWK and OSCP – A Review

pwk-blog-post

PWK and OSCP

Penetration Testing with Kali Linux (PWK) is Offensive Security’s starter course for newer folk in the field of computer security. Although it’s advertised as an entry-level course, it’s recommended to be acquainted with Linux, TCP/IP, Networking and be familiar with at least one scripting language (Python/Ruby) and one high level programming language (C/C++).

The Offensive Security Certified Professional certification is an optional certification provided upon clearing the OSCP challenge available when you register for the PWK course.

You can check out more information about the course here.

Continue reading