Caution! Phishing Mails Exploiting URL Shortener and Impersonating Organizations

The ASEC analysis team has been continuously updating the blog with information about phishing mails and urging users to take caution. Recently, the team confirmed a massive distribution of phishing mails with attachments that are assumed to be of the same type.

While the structures of the HTML files for the finally connected phishing sites are different for each phishing mail of this type, the structures of HTML attachments that redirect users are the same, and the URLs of the phishing pages are concealed using a certain URL shortener (chilp.it). The team will examine the two different phishing mails and explain the structural characteristics of the mails to answer why we think that the two mails are of the same type.

Figure 1. Phishing Mail 1
Figure 2. Phishing Mail 2

Figure 3 and Figure 4 below are the HTML attachments of the phishing mails shown in Figure 1 and Figure 2, respectively. Both files redirect users to phishing pages three seconds after being run and have the same grammar. Both hide the URL with redirection feature within the script using a certain URL shortener (chilp.it).

Figure 3. HTML script attached to Phishing Mail 1 (redirects to phishing page)
Figure 4. HTML script attached to Phishing Mail 2 (redirects to phishing page)

Figure 5 and Figure 6 show redirected phishing HTML making users log in. Because both scripts have the receiver’s e-mail address entered in the ID field, there is a chance that users enter their e-mail passwords without a second thought.

Figure 5. Phishing page connected from phishing mail 1
Figure 6. Phishing page connected from phishing mail 2

Figure 7 shows the HTML file of the first phishing website that leaks login information. It is partially obfuscated to prevent malicious URL and keywords from being exposed. Figure 8 shows what the file looks like when it is unobfuscated. The additional javascript URL can be seen highlighted (app.js) in the red box. Figure 9 shows the content of the additional javascript (app.js). It has the feature of sending the login information to C2.

Figure 7. Account leaking HTML file of phishing page connected from phishing mail 1 (obfuscated)
Figure 8. Account leaking HTML file of phishing page connected from phishing mail 1 (unobfuscated)
Figure 9. app.js (has a feature of sending login information)

Figure 10 is the HTML file of the second phishing website that leaks login information. In this case, the file is not obfuscated and reveals the C2 URL within the script.

Figure 10. Account leaking HTML file of phishing page connected from phishing mail 2

The cases of two e-mails show that they were sent by the same person and use a certain URL shortener in the attached HTML files. But how they operate is different, and there are different types of phishing pages that are ultimately connected.

Users must not open mails with unknown sources, and are recommended to update their anti-malware products to the latest version. Also, because the operation methods of phishing pages attempting to leak accounts are not much different from those that have been continually introduced in the ASEC blog, users must remain alert and not enter their account information on a webpage redirected from the attached files.

V3 Lite is currently responding by blocking URLs.

[Relevant IOC Info]
– hxxps://blubbery-stake.000webhostapp.com/3/aspx.php
– hxxps://flamboyant-borg.95-216-216-13.plesk.page/froum_do/wp-content/uploads/2021/09/gate.php

Categories:Malware Information

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments