
An Innovative Phishing Style - ivank
https://tehaurum.wordpress.com/2018/09/30/an-innovative-phishing-style/
======
ad133
> As far as I could tell, the debugger trap was basically calling the debugger
> function if it detects a running debugger.

This is a fairly common trick, you just run the debugger method in a
setTimeout loop since it's a no-op if the debugger isn't open. It's a common
tactic used by quasi-illicit sport streaming websites that are usually filled
with ads.

There's a button in Chrome Dev Tools to disable breaking on breakpoints that
gets round this.

------
nneonneo
The site's dead now - the DNS record was pulled about an hour ago. But, I got
a snapshot of the site and all the code before it got taken down, and I took
the liberty of deobfuscating the big blobs of code:

[https://github.com/nneonneo/steam-phishing-
analysis](https://github.com/nneonneo/steam-phishing-analysis)

It's fairly simple code, in the end. The phishers copied the legitimate
trading site, as well as the Steam Community login page, and then added some
JavaScript code to both as well as tweaking the HTML a bit. In total, three
snippets of JS were added: the first detects debuggers using
[https://github.com/sindresorhus/devtools-
detect](https://github.com/sindresorhus/devtools-detect) (the bit that the
original blog poster found), the second pops open the fake browser chrome and
sticks the fake login page inside an iframe, and the third (running in the
iframe) harvests credentials off the copied Steam login page.

~~~
BslSJDIz1gqWxXq
How was the JS obfuscated? Did they, by any chance, use [1]?

AFAIK that tool includes a very similar anti-debugging technique.

[1] [https://github.com/javascript-obfuscator/javascript-
obfuscat...](https://github.com/javascript-obfuscator/javascript-obfuscator)

~~~
nneonneo
They did a first pass obfuscation which replaced local variable names with
gibberish and then applied some minification. Then they applied an obfuscation
tool 2-3 times for each of the three code snippets, causing the code to bloat
up quite considerably. However, at least two different obfuscation tools were
used - one simpler one (used for the antidebugger hook) and one more complex
one that looked almost like a virtual machine.

The output looks a little like the output from your link, but there's a lot of
structural differences so I'm not sure it was the same tool.

------
heipei
Thanks for the good writeup. This technique however is not new, as others have
mentioned. If you look at this phishing site on the "Similar Pages" feature on
[https://urlscan.io](https://urlscan.io) you can see a bunch of other phishing
pages with similar themes (gaming / skin customisation) that employ the same
phishing kit, going back five months:
[https://urlscan.io/result/24dc54ec-2008-4fe1-b526-4a25fca25f...](https://urlscan.io/result/24dc54ec-2008-4fe1-b526-4a25fca25ff3/related/)

Some example domains: skinssoul[.]com, skinsnecro[.]com, dotaskins[.]eu etc...

------
cyberjunkie
I will vouch for the author of this article. Smart kid!

On a slightly off-topic, I think it's safe to say that trading and farming
items in popular games, is responsible for cheaters, unfair practices, and in
turn developers churning out more of these.

I hope we can return to games, where I pay for a title for its entertainment
value, bar of all loopholes and caveats.

~~~
WorkLifeBalance
It's a stretch to say it results in cheaters, people have been writing cheats
since quakeworld.

~~~
code_duck
The rate may have accelerated due to present incentives.

------
fabricexpert
I'm an engineer (mostly web) and I am very tech savvy, and extremely wary on
the internet of scams. However, if this site had to come me via a trusted
channel, I would have fallen for it maybe 80% of the time.

I hardly ever login to steam as it's always running and while I have 2FA my
password would have been stolen in this attack for sure.

I don't think teenagers and non-techy users would stand a chance against this.

~~~
kylebarron
Note that LastPass didn't autofill the password and the box stayed gray
instead of red. That would tip off most LastPass users that the url was wrong.

edit: Image in question:
[https://i.imgur.com/hVTEKfD.png](https://i.imgur.com/hVTEKfD.png)

~~~
wild_preference
1Password saved me from getting phished by “colnbase.com” because the
completion hotkey didn’t work. I still wince thinking about how close I got.

You used to just have to be moderately tech savvy to avoid scams but I find
myself tricked more and more often these days. Recently it was a “click to
start download” ad. I sent the page to my friends and they got fooled too.

------
jarcane
The fake pop-up window isn't new. This does seem a fairly well engineered
version of the trick, but sites have been pulling this shit since the 90s. It
has been a while since I've seen it though, but then I use an ad blocker so I
suppose I wouldn't.

~~~
baddox
I distinctly remember laughing at fake popups using Windows UI styling while
I’m using Linux.

~~~
Slartie
Yeah, and this one isn't any better in that regard. Was just examining it on a
Mac, where it uses the same Windows UI style.

One should think that malware authors would have already implemented some JS
library of sorts for their fake popups that fakes Windows, MacOS and Linux UI
styles more convincingly.

Especially since they've applied serious thoughts to other parts of the fake,
like the language chooser in the fake Steam popup. It causes a spinner for a
short while and then an error popup saying something like "cannot communicate
with Steam server". Nice idea to dead-end page components that they didn't
want to fake more convincingly.

~~~
solarkraft
Unthemed Windows & Mac OS will be convincing to a lot, Linux will be pretty
hard. Then again those who tinker with their computers are unlikely to fall
into this trap.

~~~
askmike
This specific phishing website mimics an ingame website for Counter-Strike
Global Offensive, a shooter game with the vast majority of players using
Windows. Linux isn't supported at all and while the game technically runs on a
Mac most people don't (or play it with Bootcamp).

I would not be surprised if 99% of the audience for this website is using
Windows, the vast majority with default themes (and the ones without either
won't notice this or think Windows is buggy when a popup shows the default
theme).

~~~
def_true_false
>Linux isn't supported at all

What? Valve games tend to have pretty good Linux support.

------
oriettaxx
Wanna bet that if I call anybody working in a bank, telling them I am from the
IT department and I want them to check the new login page (done the way
described in this article), they will enter there their login & password?

~~~
hsnewman
Well, first, phishing is not calling someone, but at our bank we train our
employees monthly about phishing by testing them, and if they fail they must
take a class. Serial failures could result up to termination. So, how much you
wanna bet?

~~~
owenmarshall
> So, how much you wanna bet?

You're not resigned enough to be on an infosec team, and if you're not on an
infosec team you probably don't know the true percentage of how many employees
are failing over and over (it's a ton, it's _always_ a ton).

I'd go big :)

~~~
hvindin
Personally I'd be pretty sure that, at least at the bank I currently work at,
this would rarely ever work.

I mean, other than the attempts to foster a relationship between bank staff
and the tech people through things like days of letting tech people hang out
and try and be helpful at branches in order to "see what real difference they
could make" \- and that laegely ending up being a fairly regular educational
exercise for everyone involved theres two problems I see:

1\. All the phone calls into branches are monitored (you may have noticed so
many "we will record this call and it may be monitored" messages - they arent
kidding) and if certain key words, or even key tones of voice are picked up
someone from a relevant team silently dials onto the call to listen in. 2\.
The general process for _anyone_ not in it interacting with any IT system is
to click a button on their screen which generates a 6 digit pin and if you
cant match that pin with the person talking to you and dont confirm success
then alerts go out immediately.

And given the hit rate on the "generate pin" api, tellers are definitely using
it properly.

So i'd be inclined to go pretty small if I where to bet at all.

Not sure why the assumption that you can social engineer your way onto any
half way competent institution still persists,but nowadays, as far as I know,
you have to pick the _really_ low hanging fruit for someone to let you in so
easily.

~~~
btown
> half way competent institution

At which attackers shift their targets from a bank to a mobile phone
provider... :(

~~~
bonestamp2
Obligatory "SMS 2FA needs to stop" comment. Because it does.

~~~
btown
Additional obligatory "2FA doesn't excuse weak password choices or password
reuse."

------
benatkin
Apparently Cloudflare doesn't require a credit card to sign up for the free
plan. Not that scammers couldn't figure out how to provide a credit card that
wouldn't trace back to them.

~~~
milankragujevic
Why would it require a credit card to sign up for the free plan? To "prevent"
scams and abuse?

~~~
LeonM
It's a common sales technique. People are willing to give their CC details for
a free plan since they are not charging anyway. But by the time your site
grows, this takes away the friction of switching to a paid plan. Mailgun does
the same.

~~~
tjoff
Maybe it's a cultural thing?

I've never come across a situation where anyone would give their CC number for
a free service. That gives a _really_ shady impression.

Or expose myself to that risk.

~~~
ryandrake
Free service that requires a credit card? That is almost always a red flag for
me and just screams “scam”. Who falls for that?

~~~
282883392
Heroku, HBO, Discord, Amazon Prime, etc all have free trials/plans that
require a credit card . . .

~~~
tjoff
Not sure what Prime is but I suspect everything you can do requires a purchase
anyway? If so that could, perhaps, be reasonable.

Wouldn't ever sign up for any of the others though.

And when a free trial requires a cc that kind of implies that you have to read
the fine print very carefully and actively cancel before you get "upgraded".

Doesn't exactly inspire trustworthiness, I'd research competitors closely
before considering a company that does that.

------
Tepix
This is hard to defend against, but changing the default colour scheme (also
used for every window title bar) helps somewhat.

~~~
quietbritishjim
A good solution is to force popup windows to open as a tab in the current
window, so that the address bar is absolutely always in the same place. This
distorts the popup window because it can't change size but that's a small
price to pay. I find it annoying that any website should open a new window
anyway. I'm not sure if this is possible in Chrome, or if so how to do it, but
in Firefox the setting is browser.link.open_newwindow.restriction.

It would also help if Windows had proper contrast between the title bars of
active and inactive windows, since then it would be obvious there's a problem
from the two simultaneously active top-level windows. The contrast was
excellent from at least Windows 3.1 through to Windows XP (colour vs
greyscale) but in Windows 7 it dropped dramatically, and it's almost
indistinguishable in Windows 10. Microsoft seems to have an endemic problem of
redesigning visual styles for the sake of it, even if it makes things worse,
presumably to justify the wages of full-time designer staff.

~~~
lokedhs
If you go to the page, you'll notice that they are not displaying a popup.
Instead, they have recreated the entire UI experience, and if you're on
Windows the only way to tell that something fishy is going on is if you try to
move the window and you'll notice you can't move it outside the bounds of the
parent Window.

It's incredibly well done, and I was almost fooled by it when I went to the
web site. If I hadn't been using Qubes OS where my dispvm's are using red
borders, I probably wouldn't have noticed at all.

~~~
quietbritishjim
> they are not displaying a popup

But that's exactly my point! If you have set your browser to make all popups
appear as a tab taking up the whole of your existing window (and adding an
entry to your tab list), and then a fake one looks like a separate window,
then it will stick out as fake immediately. For me, a browser-like window
within the boundary of my actual browser is so foreign that I wouldn't even
consider the possibility that it's real.

------
cbg0
Browsers should implement some mechanisms to combat this type of phishing.
I've gone ahead and reported this as a phishing site on Google safe browsing
and other services.

~~~
chii
> Browsers should implement some mechanisms to combat this type of phishing.

combatting this doesn't require browsers - you can have a passwordless login
mechanism (like email links!).

Or, if browsers do indeed want to combat issues such as these, we'd need
support for client-side certs (so you can login using a key-pair!), rather
than username/password.

Or, rely in a tool like lastpass to consistently enter the credentials (which,
presumably, will check the domain first and if it doesn't match, won't let you
put the credentials in).

~~~
askmike
The problem with e-mail links is that if the e-mail inbox gets hacked the
hacker now has access to all the user's services.

~~~
jstanley
Unlike with passwords, where the attacker has to go to the extra step of
clicking "I forgot my password" in order to convert access to the email inbox
into access to all the user's services.

------
ryandrake
OAuth and similar technologies are a blessing and a curse. Users are too
willing to use one site’s login credentials to log into another site, and this
willingnessis a phisher’s dream come true. This whole class of problems would
go away or at least be minimized if there were fewer of these “log in with
Facebook” and “log in with your google account” opportunities to exploit.

In this case it looks like the 3rd party service required deep integration
with Steam so it was probably unavoidable, but many sites use OAuth as a
crutch because they don’t want to bother butlding their own sign-in system.

I’ve stopped using services if they don’t provide an option to create a site-
specific username and password. Facebook login the only way to sign up for
your site? How about no.

------
kilburn
Doesn't OAuth and similar work by _redirecting_ you to the login page?

I don't recall ever seeing a version that opens a popup to get you to login.
This would immediately raise my suspicions on this basis (popup windows can be
controlled by the opening website to a large degree!).

~~~
michaelt

      I don't recall ever seeing a version that
      opens a popup to get you to login.
    

You'll often get a login pop-up if you pay with paypal - they call it the
mini-browser in their documentation [1] - and I guess the intention is you
don't have to leave the merchant's website in you main browser window.

[1] [https://developer.paypal.com/docs/classic/adaptive-
payments/...](https://developer.paypal.com/docs/classic/adaptive-
payments/ht_ap-embeddedPayment-curl-etc/#step-4-test-the-html-form-1)

~~~
kilburn
I think this was a bad option they offered in the past and now they are stuck
with it. Notice the alert at the top of that page:

> Important: Adaptive Payments is now a limited release product. It is
> restricted to select partners for approved use cases and should not be used
> for new integrations without guidance from PayPal.

In other words, popup loading another website is just wrong and should be
avoided by both website makers and their users.

------
ssebastianj
> "The whole thing was just a drawn up window inside the phishing website!"

This reminds me the "Phishing Alert Toolbars" section from Ross Anderson's
"Security Engineering" book on what he calls a "picture-in-picture website"
[0]

[0]
[https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c02.pdf](https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c02.pdf)

------
astockwell
Tangentially related (and an absolutely shameless self-promote): a colleague
and I recently described a repeatable approach and methodology (including
example) for malware deobfuscation in a recent conference talk. Full narrated
video of the talk is here [1], deobfuscation portion is roughly the middle
third.

[1] [https://youtu.be/RAtjW7PVGaM](https://youtu.be/RAtjW7PVGaM)

------
wufufufu
They should use user agent to change the style of the fake browser. You can
maybe get access to the chrome theme assets also.

------
arayh
For what it's worth, I noticed that the login does not load up on IE11 and
Edge, although it loads up for Chrome, Firefox, and Opera and will label the
fake pop-up window with said browser name.

------
ttty
You could open the dev tools in a popup. The device tools detector works by
comparing some distances in your browser.

------
mahasvin
Hey, Russian detected in HTML/JS code. Takedown notice has to be issued from
skins.cash.

------
tasticanal
This is really interesting, though I can't see it exploited very widely in
everyday use.

~~~
Buge
Why? I think the main thing stopping it is safe browsing, which is the same
thing stopping all other phishing sites from getting too big.

------
StavrosK
This is why I think WebAuthn can't come soon enough.

------
gcb0
a phising attemp that emulates a OS window in html is lame and should have
been spoted a mile away. real popups open as tabs to begin with.

~~~
rubbingalcohol
Depends on the browser, but in Firefox and Chrome you can certainly pop a
window using a click event. Assuming a JS library was clever enough to
simulate the OS-chrome believably it could be easy enough to trick people.

