
Obfuscated JavaScript, scam emails, and American Express - jonluca
https://blog.jonlu.ca/posts/deobfuscating-amex-scammer
======
porlune
I wonder if scammers are intentionally misspelling subject lines because most
security savvy people will just delete those as obvious scams and move on.
This would have a two pronged effect:

1\. it would filter out security savvy individuals from the actual payload,
who might report the scam.

2\. it would map to the least security conscious individuals who would be the
most likely to fall for it.

~~~
mef
Yes. See "Why Do Nigerian Scammers Say They are From Nigeria?"

[https://www.microsoft.com/en-us/research/publication/why-
do-...](https://www.microsoft.com/en-us/research/publication/why-do-nigerian-
scammers-say-they-are-from-nigeria/)

~~~
Waterluvian
That page seems like it used a lot of fancy language to say something that
could be said in two sentences.

~~~
general8bitso
What are the two sentences so I don’t have to click the link?

~~~
PaulBGD_
Honestly just one:

> By sending an email that repels all but the most gullible the scammer gets
> the most promising marks to self-select, and tilts the true to false
> positive ratio in his favor.

~~~
bryanrasmussen
I wonder about that - is there a bad spot where the obvious scam mail is so
obvious that it prompts more people to troll the scammer back?

I mean the people who take the time to troll the scammer back want enjoyment
out of it, and the chance of getting that enjoyment would seem to be
heightened if the scammer seems more likely to be an idiot.

~~~
general8bitso
I don’t think the scammer is an idiot, but I only have so much time in the day
for vigilantism.

I did get an IRS scam VOIP number shutdown last week in about 15 minutes.

------
userbinator
The next logical step after finding where the data is sent, is to use a script
to fill the phisher's database with rubbish... there are sites like
[https://www.fakenamegenerator.com/](https://www.fakenamegenerator.com/) which
will help you create fake-yet-plausible identities.

I remember many years ago I was sent a keylogger. I reversed it, found it was
configured to upload keylogs to an FTP server on a free webhost, and promptly
replaced the existing contents of it with as many copies of The Bible as would
fit in the few MB of space available.

------
mindfulplay
Is it ethical or possible to attack the attacker by spawning a few cloud
instances that POST dummy but nearly legit responses to their website? This
way they would have to comb through and hopefully verify a lot of crap to find
victims' card numbers?

Unless of course they were clever enough to embed some fake cookie to track
responses to specific emails...

------
chinhodado
So in the end, what does the obfuscated JS do?

~~~
jonluca
It's a triple encoded payload that loads in a large HTML blob onto the page.
The payload is 99% similar to Amex's actual page, it just submits the data to
the attackers domain, and has a few extra fields like mothers maiden name,
elementary school, etc.

The purpose of the obfuscation is 1) to prevent automated scanners and 2)
prevent debugging of the script.

Since we did static analysis it did not impact the result.

~~~
romanov89
I guess the few extra fields, gets them the possible security question answers
for account takeovers

------
benj111
And yet, if you turn off JavaScript to protect against this type of thing, you
end up breaking most financial websites.

(American Express is in fairness the one site that continued working ok as I
recall)

------
me45555
Very interesting, thanks for the post

