Phishing Campaign Abuses Company Logo API with Obfuscated JavaScript

By /

Listen to this Post

A recent phishing campaign has been discovered abusing a Company Logo API and using obfuscated JavaScript to create highly realistic fake login pages. Attackers leverage email address domains to fetch company logos, tricking victims into entering their credentials. More details can be found here.

You Should Know:

1. How the Attack Works:

  • Attackers use obfuscated JavaScript to render phishing pages.
  • The ClearBit Company Logo API is abused to fetch legitimate company logos, making the fake pages appear authentic.
  • Victims are prompted to enter login credentials on these deceptive pages.

2. Detecting Phishing Pages:

  • Always check the URL of the login page. Phishing pages often use misspelled or slightly altered domains.
  • Use browser developer tools (F12) to inspect the page source. Look for obfuscated JavaScript or suspicious API calls.

3. Example of Obfuscated JavaScript:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('1 0="2+3";4.5(0);',6,6,'str|var|Hello|World|console|log'.split('|'),0,{}))

This code, when executed, will output “Hello World” but is heavily obfuscated to avoid detection.

4. Steps to Protect Yourself:

  • Verify the Domain: Always double-check the domain name in the browser address bar.
  • Use Multi-Factor Authentication (MFA): Even if credentials are stolen, MFA adds an extra layer of security.
  • Inspect Page Source: Use browser developer tools to inspect the page for suspicious scripts or API calls.
  • Report Phishing: If you encounter a phishing page, report it to the company being impersonated and your IT department.

5. Linux Command to Check Suspicious URLs:

curl -I <URL>

This command retrieves the HTTP headers of a URL, which can help identify suspicious domains.

6. Windows Command to Block Malicious Domains:

Add malicious domains to the Windows hosts file to block access:

echo "127.0.0.1 malicious-domain.com" >> C:\Windows\System32\drivers\etc\hosts

7. Python Script to Detect Obfuscated JavaScript:

import re

def detect_obfuscation(script):
obfuscation_patterns = [
r'eval(', r'unescape(', r'String.fromCharCode(', r'\x[0-9a-fA-F]{2}'
]
for pattern in obfuscation_patterns:
if re.search(pattern, script):
return True
return False

script = "eval(function(p,a,c,k,e,d){...})"
if detect_obfuscation(script):
print("Obfuscated JavaScript detected!")

What Undercode Say:

Phishing attacks are becoming increasingly sophisticated, leveraging APIs and obfuscation techniques to deceive users. Always remain vigilant when entering sensitive information online. Use tools like browser developer tools, command-line utilities, and scripting to detect and mitigate such threats. Regularly update your knowledge of cybersecurity best practices to stay ahead of attackers. For more information, visit Palo Alto Networks Unit 42.

References:

Reported By: Unit42 Phishing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: