2/02/2007

Obfuscation

This post is full of technicalities. It's about making things dark and obscure. URL basically and my mood too.
Phishers are improving their ways to avoid detection, report and closure of their web pages. It's bad news but it's also good news. It shows that reporting their sites is making a dent on their operation. But it's bad because it's going to make it more difficult for people without the knowledge to report them properly. This way the pages are going to stay up longer, more people is going to fall for it and the phisher is going to have more time to collect the information.

I'm going to dissect on that I've received this week. This is the full URL (be careful, at the time of this post it's still active)
http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php?http://0x48.0x0e.0xdd.0x67
/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxg
FKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&ad
url=http://0xd1.0x55.0x7f.0x82/%77%77%77%2E%70%61%79%70%61%6C%2E%63%6F%6D
%2E%68%74%6D
Imagine all that in just one line, I formatted it to fit the blog. Believe it or not, this is a valid URL. Not the kind you're used to see daily. Let's take a look at the first part
http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php
The domain is expressed as IP number in hexadecimal format. If you do the math (you can use your Windows calculator in scientific mode) the real IP number is 66.77.63.110. You can try this IP number and it will take you to Sony Pictures'web site. In that web site there's a directory called amazon, and in there a PHP script called redirect.php. Sony Pictures is not involved in the scam and, most likely, its site wasn't hacked. It's common to have such a script, in this case Sony probably uses it to redirect visitors to Amazon's web site where they can buy Sony's stuff. This redirector script is just that simple, it creates an HTML code that tells your browser to go and load some other page. Try it, pick any URL you want and use this redirector to access it. Luckily, if we piss them off enough they'll secure the script and won't be used for phishing anymore. Try this
http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php?http://www.google.com
Or any other page you want. The result is the same, you're redirected to the page you set as parameter for the script. You can also try http://0x42.0x4d.0x3f.0x6e or http://66.77.63.110 or http://www.sonypictures.com/, you'll see Sony Pictures' web site. They're all different ways to link to the same site.

But the phishing page is not there nor is Sony involved in this kind of operation. They have a script they use as part of their business and it was left unsecured. The same way we used it for this examples, the phisher uses it to obfuscate the URL pointing to his page. Where's the phishing page then? Let's take a look at the second part of the URL. It's easier now that we know that the script will redirect to the second URL and this is it
http://0x48.0x0e.0xdd.0x67/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSA
ueHkArnhtWZAu-FmQWgjlkQAxg
FKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCa
pCCqkCxU7NLQH0sz4&num=5&ad
url=http://0xd1.0x55.0x7f.0x82/%77%
77%77%2E%70%61%79%70%61%6C%2E%63%6F%6D
%2E%68%74%6D
Looks complicated but let's take a look at it part by part. The first thing is the IP number, again it has been obscured by writing it in hexadecimal format. The real number is 72.14.221.103. You can try both, go on, they're both safe.

Surprised? Yes, the IP number points to Google. But the phishing page is not in Google's server and they're not related to it. What the URL says is that in that server there's a directory named pagead and in there an object named iclk. No more information about iclk. Most of the time you can assume that the object is what's described by its extension (the .xxx thing at the end), in this case there's no extension. But, most likely it's a script of some kind. Then, there's a set of parameters. sa with value l, ai with a long chain of characters (the part that looks real complicated), num with value 5 and adurl with a URL. If it looks like a redirector to you, you're right. It is. This is part of Google's Adsense program and the object of the script is to count hits for a particular ad (defined by the long chain of characters) and redirect the browser to the URL assigned (defined by the adurl parameter). Try this (I just did). Go to any page with Adsense, Google Adsense or Google anything. Most likely you'll get an Adsense panel or a link to a page with one. Pick any ad you like and copy the URL (right button, copy link location or anything like that depending on your browser). Now paste the link in your browser's URL box. What you see is exactly the same as the URL we've been looking at. Same parameter names, some with different values. Change the URL for anything else and you'll be redirected to that URL of your choice. I wonder how is Adsense counting that "click"? Regardless of that, the point is that the script is out there, is not secured and it's being used to obfuscate phishing URLs (and probably other scam or spam related links).

Ok, Google's problems aside, we've finally found the phishing page. It has to be the URL passed to Adsense as adurl parameter, right? Wrong! Let's take a look at it
http://0xd1.0x55.0x7f.0x82/%77%77%77%2E%70%61%79%70%61%6C%2E
%63%6F%6D
%2E%68%74%6D
Again, the IP number has been obscured. The real IP number is 209.85.127.130 and belongs to Everyone Internet in Houston, TX. The rest of the URL is the name of an object. Looks like a very complicated object but it isn't. The same way the IP number is obscured by writing it in hexadecimal format, a text can be obscured by writing it using ASCII codes in hexadecimal format. That's what your looking at. %77 means 77 hexadecimal or 119 decimal or a "w". %2E means 2E hexadecimal or 46 decimal or a ".". I'll save you the pain of going through all this. The name of the object is www.paypal.com.htm and it's not the phishing page. It's an HTML page redirecting to somewhere else. Yes, another redirector. The difference between this one and the two previous ones is that this is a static page while the others are scripts able to generate the page dinamically based on the parameters you give them. Also, the previous ones are legal (in lack of a better term) though insecure scripts used as part of a business operation while this one was written specifically to be used as part of the phishing operation. It's hard to tell how it was set in there. It could be a hacked site or a free web site space or a web site paid from a Paypal account phished on a previous operation.

But the phishing page is not this one, this is just the redirector. It's a web page instructing your browser to ignore it and move on to another URL. I'm not going to publish the whole URL here because it's too much code to dissect. The URL is
http://0x40.0x1a.0x19.0xfa/www4.4paypal.com/cgi_bin2/webscr.php.cmd
=restore-account-login945096845098034938/webscr.php?cmd=_login-run
Again, the IP number is obscured. The real number is 64.26.25.250 and belongs to Hostway Corporation in Chicago, IL. Like the one from Everyone Internet, it's most likely a hosting server and its server is being abuse somehow. The URL looks complicated but it has been created like that to give it a more business like look. The first directory is named www4.4paypal.com to make you think you're connected to a Paypal server while you're not. The second directory name is cgi_bin2. And the third is webscr.php.cmd=restore-account-login945096845098034938. It looks like the script name is webscr.php using a parameter cmd with a complicated value. The character before the cmd should be a "?" but that would make the filename invalid. But it's just the name of another directory, the real page is webscr.php and the real parameter is cmd with value "_login-run". Probably the parameter value means nothing anyway.

The obfuscation of the URL works two ways. First, it makes it a lot more complicated to report. You have to go all the way to the phishing page and translate the URLs to find out who to report to. And second, it helps to avoid detection by mail filters. This is done by setting a huge number of different URL pointing to the same phishing page. If one mail is reported and its URL is added to the filter database, it doesn't matter because more messages with different URLs will go through undetected.

As you can see, the phishers are going that far to protect their pages. They know that the success of a page depends on the time it can survive, the more the page stays alive, more people will access it and, hopefully, post valuable information.

It's bad news that they're evolving into more complex setups but, on the other hand, it shows that the fight against them is making a dent in their operations. So, I'll keep reporting them. At least those that reach my mail box. Meanwhile, if you're a regular user be careful, if you're in charge of a web site be on the lookout for a phishing page or a redirector installed by a hacker and if you have scripts secure them.

3 comments:

MOTA said...

Almost unbelievable, but it's true. Some secure sites that require a login added more security, showing you an image and a phrase (you have to set them up first). If you recognize both, that means you are in the right server, you have not been redirected anywhere else. But I'm sure phishers will find a way around it soon (if they didn't already), and redirect you after the verification. It's a never ending story!

YummY! said...

We set up a seperate bank account specifically for internet shopping (or more namely so my hubby could order legos offline), cause its scary out there.

And thanks for getting me one step closer to the glory of 13 comments.

Anonymous said...

You are my blog for today:

http://softwareandmusicdownloads.blogspot.com/