Table of Contents
BLUF:
This documents repeatable steps that an analyst or enthusiast researcher can take to search for, and find, phishing sites that are masquerading as banking sites.
Introduction:
This takes the research TTPs from the USAA Masquerading research (documented here), and answers the question “can we repeat the steps to find Navy Federal Credit Union Masquerades, but in a reverse process?”
In the USAA Masquerading research, we first started off by searching urlscan for domains that started with “usaa-“. We observed a few hits, and we pivoted off the font and CSS file hashes. We learned that the masquerading site used the same font file as the legitimate USAA site. This research travels down the “Can the same research TTPs produce results when performed in reverse order?” rabbit hole.
Starting:
I use a free urlscan account. Some of the queries might require at least a free urlscan account. Please keep that in mind if you’re following along.
For starters, we check for scan results to the legit site via this query: https://urlscan.io/search/#domain%3A%22www.navyfederal.org%22. We review the legit Navy Fed site scan result from someone else 15 hours prior, here: https://urlscan.io/result/b59709f2-6bdf-4950-89c6-8931a49503c3/#transactions. I expand the font transactions as such:
I was going through each one, one by one. Most of the first ones did not return good results, because they were common fonts used by other legitimate (still suspicious, like online gambling) sites. In the snip above, the font file “nfcu-icons.woff” is in focus because it returned successful results.
We want to search for the above-mentioned font file and filter out any legitimate Navy Federal results using the “AND NOT page.url:…” portion as seen here: https://urlscan.io/search/#hash%3A1fa934880a173f877c7e90f95fca2ade66544e05daa88707d0866b6f903a9c05%20AND%20NOT%20page.url%3Awww.navyfederal.org. We can see the returned results include at least one obvious masquerading domain as seen below:
I first checked the obvious masquerade (verifynavycu[.]com).
https://urlscan.io/result/7797eb4c-924b-4e07-9b5d-273418b347dc
The first thing I notice in the snip below is that it has already been flagged by Emiliano Carlesi (@ecarlesi). Check out his site here: https://carlesi.vg/. As with the USAA research, a lot of phishing URLs are found by and scanned by @ecarlesi, so credit and kudos to him for being the initial finder.
Other interesting things are that urlscan found there are 590 similar pages, urlscan identifies that it is targeting the NFCU brand, the domain registrar is IONOS, and the page title starts with “Navy Federal Credit Union – Log In”.
Clicking the button to show related scans here: https://urlscan.io/result/7797eb4c-924b-4e07-9b5d-273418b347dc/related/ shows us obvious masquerade sites as observed below:
I chose the random result here: https://urlscan.io/result/163ec3a9-d491-4bb5-a4e8-2fa35a798424/ and observed the result below:
One thing that stands out is that it was an automatic submission from phishtank. I will research this later. We can see that the page title also starts with “Navy Federal Credit Union – “. The next thing to explore is “Can we search for scan results based on the page title?”.
Masquerades by page.title:
To figure that out we check the search help. To figure that out, we first click the blue Help button to the right of the query field, then we click the “Search API Reference” link that I’ve highlighted as seen below:
That takes you to https://urlscan.io/docs/search/. We can see that the page.title value is searchable with the free account.
We create a base search using the following:
page.title:”Navy Federal Credit Union – *”
We add to the base search a part to filter out legit scans by adding the following:
AND NOT page.url:www.navyfederal.org
And voila, there are a bajillion results returned as seen below. I review an unspecified result next.
Telegram to transmit the phished credentials:
I am not disclosing the specific result that I will analyze next. This is because it contains the chat_id of the Telegram channel that the <>< are sent to, and I am unable to determine if it’s a private channel at this time.
It is interesting because they don’t use a masquerading URL. It does not have any NFCU variation in the URL. Here’s a snip of the snapshot shown below.
Another thing to note is that urlscan also detects that it is targeting the NFCU brand. I checked the urlscan search docs, but it is a paid feature, so we cannot use it with our humble free account.
I just realized that I haven’t been analyzing the form submit methods. I checked the transactions tab.
I checked the first response, it is just a simple redirect using the window.location.replace function. I checked the next response for the resource the urlscan scanner was redirected to. We can see they are using HTML escape characters to obfuscate it:
A quick and easy way to decode it is to simply send it to the console in dev tools:
The form includes steps to trick the user into entering the code sent to their phone as seen below with the “For added security do enter the code sent to your Mobile Number on profile with us, if you do not receive any code in the next 5 minutes, do enter ‘0000’ in both ‘Enter Code’ fields to continue verification.”. However, the quote has a red flag. In the quote, they use the word “do” as in “For added security do…”, but in common American English we wouldn’t use “do” – we would replace it with a comma as in “For added security, enter…”.
The onClick event listener is set to call the “sendEmailo()” function. I searched for that function, and observed the appear to be using Telegram to send the phishies.
They are using the configs below.
chat_id = ‘*****************’; // Put telegram chat id here
bot_token = ‘*******************************’; // Put telegram bot token here
I don’t use Telegram, so I’m not too sure about it, but I would guess that the channel or whatever for that chat_id is probably private. I’ve sanitized the results just in case it’s not.
Analyzing the content using the console of the web developer panel is cumbersome. I found you can review the content for this in the DOM viewer.
JS Playground to deobfuscate:
Going back to analysis, we observe it has handlers for the logins by username or email, and the SMS codes sent.
It uses the “_f0” function that is called to deobfuscate the “_cs” array. To figure it out, I used JS Playground (https://www.jsplayground.dev/), and sent the deobfuscation code to console.log to see what they’re doing. Surprise, surprise, it is indeed sending it via Telegram API.
This is a good stopping point.
Detection:
The observed behaviors should be used by SOC Analysts, or researchers to search their customer logs for indications of these. This could be done in a SIEM using the pseudo code below.
Search for masquerades by titles (if your SIEM’s web log source includes the title):
sourcetype=web_logs title=”Navy Federal Credit Union – *”
Search for data exfil using the Telegram API:
sourcetype=web_logs method=post domain=api.telegram.org uri=*/sendMessage
Search a file sourcetype that has the WOFF hash we used:
sourcetype=files hash=1fa934880a173f877c7e90f95fca2ade66544e05daa88707d0866b6f903a9c05
| stats count by _time, source, destination, user, url, referrer
Additionally, organizations should determine if the Telegram is a line of business need. If it is not legitimately needed, organizations should consider sinkholing and blocking api[.]telegram[.]org.
Summary:
We’ve expanded on the research on searching for sites masquerading as the USAA website. We’ve confirmed that we can find masquerades by reviewing the legitimate resources, and searching for illegitimate sites using the same resources. We’ve also found that we can search for masquerading sites using the page.title value in urlscan. We’ve touched on using the browser’s built-in web developer tools and JS Playground to deobfuscate JavaScript. We’ve analyzed the phishing code to observe an attacker is using the Telegram API to transmit the stolen credentials. Finally, we provide pseudo queries for an analyst to check their customer’s SIEM for indications of attack.