Introduction
Tas (@tas_kmanager), in collaboration with Curated Intelligence, shared his research on the newly observed method of phishing utilizing chat functionality in multiple web/mobile applications. Furthermore, he is able to link this campaign to other similar campaigns based on the shared TTPs and IoCs.
Background
We have recently tracked a connection in
global credit card information harvesting campaign targeting user in different
postal and e-commerce services. This latest wave of phishing introduced a novel
TTP of utilizing the postal, reservation and e-commerce services chat
functionality.
Earlier in this month, Tas personally
received a suspicious message via chat from a hotel merchant in the travel
reservation application Booking.
The message itself came from the official
account of the hotel merchant, Tas has contacted them before via this method to
inquiry information about the hotel room. The message was letting the guests
know that they are required to enter their information in an online form, with
the premise of combating stolen credit card fraud (the irony!)
As per usual phishing TTP, the threat actor
was using urgent and threatening language, such as “THE PROCEDURE IS
MANDATORY” and “it will remain active for 12 hours until your booking is
confirmed” Another interesting thing to mention is that the threat actor
does know the hotel where the guests are staying, the time of their stays, the
reservation ID (being used in the phishing link). Thanks to all the information
above and the fact that the message was coming from the hotel merchant account,
this phishing message almost fooled Tas. The biggest red flag that saved him is
the unusual phishing URL, and a major typo in the phishing domain.
Initial Analysis
We continued the investigation in the
sandbox. Once the unsuspected guest clicks the link, it leads the guest to fake
Booking website, specifically “Your Selection” page. See the screenshot below.
The fake Booking website is resembling the legitimate Booking website while also containing the right information related to the guests’ booking, such as:
- Hotel name
- Hotel address
- Hotel image (sometimes it’s a screenshot of the hotel page in the Booking app, not the hotel itself)
- Check-in date
- Check-out date
- Price (sometimes in the wrong currency)
- First and last name (came prepopulated and can’t be changed)
To proceed to the next page, the guest must
add a phone number. There is a phone number checking mechanism applied in this
page. Once added, we will be taken to the “Your Details” page. See the
screenshot below. Interestingly, the fake Booking website has a support chat
functionality (blue chat icon on the bottom right), which does not exist in the
legitimate website.
Similarly, to the previous page, there are
also multiple checking mechanisms in “Your Details” page. Primarily to verify
credit card information, such as card number, expiry date and CVC number. Once
the guest entered an acceptable credit card information, we will be redirected
to this loading page and the guest data will be forwarded to their controlled
server.
This page will either display a successful transaction
message or additional error messages, that we will look deeper in the next
section.
Code Analysis
To gain better understanding of the web
application, we will look deeper into the code. So far, we have 3 different
pages with some unique functionality that verify the inputted information.
The Copycat
The initial observation and a key factor
that lends an air of legitimacy to this phishing attempt is the striking
similarity between the counterfeit Booking page and the genuine one. A closer
examination of the code reveals that the threat actor is employing identical
HTML themes, IDs, and classes in all three pages we've examined. Please refer
to the comparison below, where both pages exhibit these similarities.
Figure 5 - Legitimate Booking Website Code
Custom Script in the HTML codes
To collect the necessary information, the
threat actor needs to insert their own code to redirect the data to their
server for collection and validation. Below, you can observe different classes
employed in the legitimate Booking website code compared to those used in the
phishing page.
More to that, on the “Your Details” page
where the victims are asked to provide credit card information, there are
script snippets added to the end of the HTML Code that function as credit card
information submission function. It can be observed that the Threat Actor
cannot keep certain comment to themselves.
Even more interesting, the Threat Actor are considering numerous scenarios that could happen with the Credit Card transaction and have created multiple functions to catch these scenarios, here are some of the scenarios they have planned:
- The user is utilizing multi factor authentication (SMS Code, Application Code, etc.).
- The user is hitting transaction limit.
- The user is not having the minimum amount of money on their account.
- The user is not using 3D-Secure authentication.
- The user online payment is disabled.
- The user transaction is blocked by Geolocation blocking.
- The user is using other banks that the Threat Actor is not aware of.
The Threat Actor then will display
different messages for each scenario, instructing the victims on how to make
sure the transaction will go through successfully.
One function is also able to request SMS
code from the victim and submit the code automatically to the Threat Actor
server where it will perform the MFA bypass. Note that there is a comment
containing “pluxurydarklord”, likely the alias of the creator of the
function or the script. The SMS code is passed utilizing the Axios post
request.
Custom JavaScript Files
There are several interesting JavaScript
files that are stored in unusual path, in the example below the custom
JavaScript codes, submit.js and blur_input.js, are stored in “/css/booking1”
path.
Digging
deeper into the submit.js code, we are seeing lot of capture and verification
functions to support data collection of the victim. Below are the functions to verify email
address and phone number.
The threat actor took precautions to ensure
that the victim entered valid credit card details, including the credit card
number, expiration date, and CVV number. Below is the function that employs
custom regex patterns to validate various recognized credit card formats.
Finally, within the submit.js code, there are intriguing comment lines at the beginning of the code within the phone-inputs-wrapper. Upon closer examination, it was revealed that these comments appeared unusual due to encoding issues when transitioning between the Russian Cyrillic and English language systems.
Figure
16 - Interesting Comment Lines
After fixing the encoding, the comments are
indeed written in Cyrillic:
// Получаем текущее значение в поле ввода
var inputValue = input.value;
// Используем регулярное выражение для удаления всех символов, кроме
цифр
var numericValue = inputValue.replace(/[^0-9]/g, "");
// Обновляем значение в поле ввода только цифрами
input.value = numericValue;
The comments are translated to:
// Get the current value in the input field
var inputValue = input.value;
var numericValue = inputValue.replace(/[^0-9]/g, "");
input.value = numericValue;
The code is likely written in the systems with Cyrillic encoding system.
The Missing Part
After the deep analysis on the phishing
components against the victims, we are left with one important question
unanswered. How did the attacker gain access to the Hotels chat systems in the
Booking website? Fortunately for us, Perception
Point researchers already did the investigation to answer the question.
What's absent from this campaign's
narrative is that hotels became targets of InfoStealer malware, delivered
through phishing URLs in emails disguised as messages from hotel customers. As
a result of successfully harvesting official Booking account credentials, the
threat actor gains the capability to access valuable customer information. This
includes full names, booking dates, specific hotel information, and partial
payment details that were employed to secure reservations on the platform.
Perception Point's assessment indicates
that numerous hotels and resorts have become victims of InfoStealer attacks,
resulting in thousands of individuals having their credit card information
compromised on a global scale.
Pivot Time
In the role
of a threat researcher, Tas consistently raises questions and maintains
curiosity about whether Booking is the sole platform used for delivering
phishing attacks via the chat function. Tas leverages urlscan.io to explore
different aspects of the phishing tool. Through the shared elements of the
phishing websites, it becomes evident that a more extensive operation is in
progress, involving various other platforms, predominantly within the realms of
e-commerce and package delivery services.
The earliest
documented instance dates back to October 2021 when the threat actor
impersonated the Romanian OLX e-commerce website. The approach here diverges
somewhat; instead of targeting the product or service buyer, the attacker
focuses on the seller. The attacker claims that the sender must verify their
credit card to accept payment from the buyer. In this scenario, it's the
buyer's OLX account that becomes compromised.
We also
observed that the threat actor is utilizing Domain Fronting to prevent
detection based on IP addresses, but this time they are using different service
providers, DDOS-Guard based in Russia.
Another instance occurred in November 2021,
where the threat actor replicated the website of the Polish InPost package
delivery service, with their focus on the product seller.
The threat actor employs identical information to persuade
both the victim, while continuing to employ domain fronting techniques,
specifically utilizing the Cloudflare service. Furthermore, we note the
existence of chat functionality on both pages. Notably, in this instance, there
is an evident use of URL shortening to circumvent potential detection related
to the URL, likely aimed at evading email spam/phishing filters.
In summary, approximately 1,300 URLs
exhibiting campaign-related characteristics have been submitted to urlscan.io
since the initial entry in October 2021. When randomly sampling data from
various time intervals (today, 3 months ago, 6 months ago, 1 year ago, and 2
years ago), the following features are observed.
|
Time |
Domain |
Company Impersonated |
TLS Certificate Issuer |
Domain Fronting |
Target |
|
Today |
confirmation-booking[.]id59212[.]top |
Booking |
R3 |
Cloudflare |
Buyer |
|
3 Months Ago |
Blablacar[.]pay-id332[.]ru |
BlaBlaCar |
GTS CA 1P5 |
Cloudflare |
Buyer |
|
6 Months
Ago |
Foxpost[.]reservation08009[.]cloud |
FoxPost
Hungary |
GTS CA 1P5 |
Cloudflare |
Seller |
|
1 Year Ago |
posta-ch[.]order-id87397[.]cloud |
SwissPost |
GTS CA 1P5 |
Cloudflare |
Seller |
|
2 Years
Ago |
allegro-fxyd[.]secur-umowa[.]space |
Allegro Polish |
Cloudflare
Inc ECC CA-3 |
Cloudflare |
Seller |
Over the last two years, the threat actor has frequently impersonated e-commerce and parcel delivery platforms listed in the urlscan.io database. See below table for the commonly impersonated platforms.
|
Organization |
Domain Count (urlscan.io) |
|
SwissPost |
105 |
|
Carousell |
100 |
|
Privat24 |
25 |
|
OLX |
68 |
|
InPost |
22 |
|
FoxPost |
29 |
|
SberBank |
14 |
|
DHL |
28 |
|
Vinted |
41 |
|
Booking |
26 |
|
NZPost |
21 |
|
Wallapop |
20 |
Summary
- With high confidence, the two credit card harvesting campaigns observed can be linked in to one campaign, with these shared TTPs and IoCs.
- Phishing delivery methods, including chat functionality and email with shortened URLs.
- Implementation of Domain Fronting, such as through Cloudflare and DDOS-Guard services.
- The attacker gained control over seller or buyer accounts (likely through InfoStealer) and provided all purchase-related information to enhance the phishing's authenticity.
- Crafting a convincing phishing page that replicates the legitimate site using its underlying code.
- Developing custom functions to address issues related to failed credit card transactions and input submission and verification.
- Incorporating a Chat Support feature to bolster the phishing page's authenticity.
- Common TLS certificate issuers are typically R3 and GTS CA 1P5.
Ensuring Your E-Commerce Safety
For user, both as sender and seller, make
sure to follow these recommendations to ensure the safety of your account.
·
Beware of Phishing Attempts: Be
cautious of emails, chat messages, text, or pop-up ads that request personal or
financial information. Legitimate companies will never ask for sensitive
information via email or messages. If in doubt, contact the company directly
using their official contact information.
·
Use Online Tools for
Verification: consider using online tools like urlscan.io or VirusTotal to scan
suspicious URLs or files. These tools can help you identify potentially harmful
websites or downloads.
·
Report Suspicious Activity: If
you suspect that a seller or a buyer is engaging in fraudulent behavior, report
it to the platform's support center. They can investigate and take appropriate
action.
·
Use Strong Passwords: Create
strong, unique passwords for your online shopping accounts. Avoid using easily
guessable information, like your name or birthdate. Consider using a password
manager to generate and store complex passwords securely. Never reuse the same
password.
·
Implement Multi-Factor
Authentication (MFA): Enable MFA on your accounts whenever it's an option. MFA
adds an extra layer of security by requiring you to provide a second piece of
information (e.g., a one-time code sent to your phone) in addition to your
password.