Friday, June 01, 2007

SWF Phishing


The other day a phishing email was forwarded to me for analysis. I figured it would be a good exercise and a little bit of fun to decode the phisher’s methods. First the email was sent as an account verification.

***********************************************

---------- Forwarded message ----------
From: National Credit Union Administration
Date: May 28, 2007 4:30 AM
Subject: NCUA Account Review Department !
To:

Account Info Verification

Dear FCU holder account,

As part of our security measures, we regularly screen activity in Federal Credit Unions (FCU) network.
We recently noticed the following issue on your account: A recent review of your account determined that we require some additional information from you in order to provide you with secure service. Case ID Number: PP-065-617-349 For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. Please log in to your FCU account to restore your access as soon as possible.

You must click the link below and fill in the form on the following page to complete the verification process.

Click here to update your account
Link = “http://host106-213-static.49-88-b.business.telecomitalia.it/icons/nfl/ncuaclients.html”

In accordance with NCUA User Agreement, your account access will remain limited until the issue has been resolved. Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your FCU account as soon as possible to help avoid this. We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account.

We apologize for any inconvenience.

*************************************************

Obviously this link is bad. Lets see what lies in “ncuaclients.html”.

#wget http://host106-213-static.49-88-b.business.telecomitalia.it/icons/nfl/ncuaclients.html

# strings ncuaclients.html

html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
head>
meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
title>National Union Credit Administration - Security Form
/head>
body bgcolor="#ffffff">
!--url's used in the movie-->
a href="http://www.ncua.gov/index.html">
a href="http://search.ncua.gov/">
a href="http://www.ncua.gov/privacy.html">
a href="Http://www.ncua.gov/siteoutline.html">
a href="http://www.ncua.gov/AboutNcua/ncua_directory.html">
a href="http://www.ncua.gov/AboutNCUA/Index.htm">
a href="http://www.ncua.gov/NCUABoard/index.htm">
a href="http://www.accessacrossamerica.gov/">
a href="http://www.ncua.gov/FinancialEducation/index.htm">
a href="http://www.ncua.gov/Express/Index.htm">
a href="http://www.ncua.gov/data/FOMIA/NCUAgovLink.htm">
a href="http://www.ncua.gov/IndexNCUSIFQuery.htm">
a href="http://www.ncua.gov/IndexCorpQuery.htm">
a href="http://www.ncua.gov/data/IndexDownloadData.htm">
a href="http://www.ncua.gov/administrative_orders/Index.htm">
a href="http://www.ncua.gov/ALManagementInvest/Index.htm">
a href="http://www.ncua.gov/AssetMgmtCent/Index.htm">
a href="http://www.ncua.gov/CLF/index.htm">
a href="http://www.ncua.gov/CorporateCU/index.htm">
……(removed)…….
a href="http://webapps.ncua.gov/customquery/">
a href="http://www.ncua.gov/RSS/WhatIsRSS.htm">
!--text used in the movie-->
!--
* First Name :
* Last Name :
* Date of Birth :
* Mother Maiden Name :
* Address :
* City :
* State :
* Phone Number :
* Bank Name :
* Credit/Debit Card Number :
* Expiration Date :
* Cvv :
* Social Security Number :
* PIN:
E-mail Address:
* Denotes required field
!-- saved from url=(0013)about:internet -->
….removed…..
param name="movie" value="ncuaclients.swf" />

It looks like the page is pulling data right from www.ncua.gov and using a file called “ncuaclients.swf”. The HTML page calls the SWF file which presents the user with a series of forms which the user is prompted to enter personal data. After pulling down the SWF file I installed a group of SWF utilities via the FreeBSD ports system called “swftools”. Included in these are “swfstrings” and “swfdump”. Suspecting that the SWF file is the culprit and the attacker would be using a POST method to obtain the data I used:

#swfdump -atpd ncuaclients.swf | grep POST”

And the following ouput was produced:

…..(removed…..
String:"Washington" String:"West " String:"Wisconsin" String:"Wyoming" String:"LoadVars" String:"this" String:"submitBtn" String:"onRelease" String:"" String:"alert_txt" String:"Please complete all fields before submitting form." String:"sendForm"
( 13 bytes) action: Push Lookup:47 ("POST") Lookup:48 ("_self") Lookup:49 ("done.php") int:3 Lookup:0 ("gatherForm")
-=> 5f 74 78 74 00 50 4f 53 54 00 5f 73 65 6c 66 00 _txt.POST._self.

Here we can see a POST method to a document on the local server named done.php. It is in this PHP file that the attacker stores their phished information.