In this Malware Analysis Spotlight , the VMRay Labs looks at the behavior of a phishing site distributed through an SMS message. Based on the content of the SMS message, this does not seem to be part of a targeted attack but rather part of a massive phishing campaign that aims at users of Apple products. This analysis will show how the threat actor used a fake Apple website to trick victims into entering login credentials, banking information and a photo of a driver’s license/passport.
VMRay’s Automatic Web Analyzer detects the delivered URL as malicious and classifies it as a phishing attempt (Figure 2).
Figure 2: Analysis Result of the Phishing URL.
Looking at the VMRay Threat Identifiers (VTIs) in Figure 3, there are several heuristic matches that characterize this as a phishing site:
Use of the Apple favicon
Use of HTTP versus HTTPS for entering sensitive information (e.g. login details)
The page presenting itself as a login page for Apple ID
The combination of these matches, we can see how the threat actor tries to masquerade the site as an official Apple website (Figure 4.).
Figure 3: VTIs that triggered during the Automatic Analysis.
Figure 4: Screenshot of the Initial Phishing Page (Left); Actual Apple ID Login Screen (Right)
For a closer look, we analyzed the phishing site with VMRay Analyzer’s Interactive Web Engine.
After clicking on the unlock account link, we are directed to a page that displays multiple forms asking for the user’s Apple ID credentials (Figure 5), credit card information (Figure 6) and a copy of a passport/driver license (Figure 7).
Figure 5: Screenshot of the dialog asking for the Apple ID.
Figure 6: Page asking for Credit Card Information
Figure 7: Page asking for Passport/Driver License.
The sequential interaction of sub-pages, including unlock, log in and dialog page, is visible in the Behavior Tab together with their resources which includes JavaScripts, CSS files, images, and fonts (Figure 8).
Figure 8: Behavior Tab showing the interaction between pages.
In addition to the sequential interaction, the IOC tab (Figure 9) shows a filtered view of the 119 artifacts extracted during analysis. There were 2 URLs classified as IOCs based on the VTI rules.
Figure 9: IOC tab showing the relationship between artifacts and VTIs
With the information presented in the IOCs and Behavior tabs Security Teams have the ability to block further phishing attempts using this domain and understand how the user’s information is being sent back to the threat actor by analyzing the extracted resources.
IOCS
hxxp://appluser[.]com/signin
hxxp://appluser[.]com/signin/upload[.]php