Anatomy of a phishing scam

Anatomy of a phishing scam

I had a strange email hit my inbox the other day.

Screenshot of an email
From: Chrisgaraffa Summary
Subject: Reminder
1 Recipient

This document was scanned and sent to Chrisgaraffa  Multifunction Printer


Recipient: chris@chrisgaraffa.com

Total Pages: 1
Receive Time: 10:51
Transmit Time: 0.20 sec

Document Name: PMQ578282PP

Multifunction Device Location: Office
Device Name: Chrisgaraffa Printer

To vieѡ FAX messages, open the attachment and login ѡith your office email to authenticate viewer and enable instant access to all your fax messages on the go. 

There is a file attachment with the name Sum90384.html

It became pretty clear that this was a scam email based on a few things:

  1. The “from” name is “Chrisgaraffa Summary” – which doesn’t make a lot of sense! Maybe there was a small chance that it was from some online service I use where my account name is chrisgaraffa. But…
  2. The “from” email is an entirely different domain name. I’m not going to show the full address here because I checked into it and someone’s email had been hijacked. In any case it wasn’t an email address I was familiar with and didn’t expect a message from.
  3. The content of the message doesn’t make sense to me! I’m unemployed (feel free to make a donation to help me survive) and don’t have an office – or a multifunction device (one of those scanner/copier/fax machines). And I certainly don’t have a fax number nor am I expecting a fax!

At this point, I’d normally just delete the email. But I was curious…

About that attachment

First, a warning: don’t ever open attachments on email messages like this. I was able to safely look at it on a computer* that’s completely disconnected from the Internet and that I could easily erase before opening it.
*Techie detail: I actually opened it in a virtual machine without network connectivity and turned off shared folders.

It’s an HTML file, which you can tell by the suffix .htm. HTML is the language that web pages are written in.

The file is one really big line of code, about 33,000 characters long, starting with

<script language="javascript">document.write( unescape( '%3C!doctype%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%0A%3Chead%3E%0A%20%20%3Cscript%20src%3D%22https%3A%2F%2Fcode.jquery.com%2Fjquery-3.1.1.min.js%22%20crossorigin%3D%22anonymous%22%3E%3C%2Fscript%3E%0A%20%20%3C!--%20Required%20meta%20tags%20--%3E%0A%20%20%3Cmeta%20charset%3D%22utf-8%22%3E%0A%20%20%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2C%20initial-scale%3D1%2C%20shrink-to-fit%3Dno%22%3E%0A%0A%20%20%3C!--%20Bootstrap%20CSS%20--%3E%0A%20%20%3Clink%20rel%3D%22stylesheet%22%20href%3D%22https%3A%2F%2Fmaxcdn.bootstrapcdn.com%2Fbootstrap%2F4.0.0%2Fcss%2Fbootstrap.min.

It looks like gibberish – but there are a lot of clues here. First, it starts with a <script> tag, and the language is JavaScript. That’s the programming language used to make much of the web dynamic – when you click a button and something happens without having to refresh the page, like when you comment on a Facebook post.

The next bit includes unescape and then a lot of strange characters with words in between. In trying to avoid detection, the scammers have turned the contents of the file into a special format where, for example, a space is replaced with %20. Using unescape undoes that so the web browser can view the content.

Once that’s done, we’re left with the code for what looks like a normal webpage:

HTML code: 
<!doctype html>
<html lang="en">

<head>
  <script src="https://code.jquery.com/jquery-3.1.1.min.js" crossorigin="anonymous"></script>
  <!-- Required meta tags -->
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

  <!-- Bootstrap CSS -->
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
    integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
  <link href="https://fonts.googleapis.com/css?family=Yellowtail&display=swap" rel="stylesheet">
  <title>Mail - mike - Outlook</title>
  <link href="https://ucarecdn.com/eae24034-0cc9-4528-827a-d46e30dd5a83/hover.css" rel="stylesheet" media="all">

  <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/core.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/md5.js"></script>
  <style type="text/css">

Those familiar with HTML might recognize some of this as being based on a Bootstrap template. But wait – why is the title “Mail – mike – Outlook”? A lazy mistake on the programmer’s part, and yet another signal that it’s not intended for me. The <title> is what shows up in the tab of the browser window:

Browser tab with the text Mail - mike - Outlook

And so we have another clue that this is a phishing email: Outlook is Microsoft’s email program, available on computers and the web alike.

Remember in the original email how it said I had a document waiting? This email is trying to get me to log in to an Outlook account.

It might be kind of convincing if you’re not paying much attention. You can see that they’ve autofilled my email address and just need a password to make it even easier for me to fall for it. And they’ve pulled the icon from my personal website (which they do automatically through a legitimate service called statvoo). If I were logging into a company email account, that would have the logo of my company on it.

What would have happened?

If you were to hit submit, it would send your email address and the password you entered to a completely different website — not Microsoft. The scammers would collect your email and password and try to use them to log in to your actual email address!

In this case, the scam page has a few things that it will do after getting your password. The code is convoluted, but it might try asking you for your password again. It might redirect you to the real Outlook / Office365 login page, or – and this one is very strange – might let you download an audio file that’s a voicemail of someone looking to donate food.

For techies, click here to see a screenshot of the code (with a domain blocked out for the victim’s privacy, as their webserver has likely been taken over).

What we’ve learned

We can take a few lessons from this real-life phishing scam:

  1. These scams have varying levels of quality. There are clear grammatical errors in the original email, but at the same time they’ve gone to certain lengths to make the page look legitimate by adding my site’s icon and my email address in the form!
  2. Check not just the name but the address of the sender and see if it’s someone you trust.
  3. Even in that case, are you expecting that message? Does it make sense or is it trying to tell you that you’ve got a fax on your office line when you don’t have either of those things?
  4. Don’t open email attachments!
  5. Always check the address of the website to make sure it’s the site you want to be on. Tech for the People has a guide – but the best advice is to just type in the website yourself instead of clicking links or attachments.