Phishing — Itaú Digital
Today I will show an analysis of a phishing message that I received which says that belongs to the brazilian bank Itaú.
According to the text, you need to update your account information until the next 2 days or you will need to go to an agency. This content uses the phishing tatic of urgency, trying to convice the victim to click in the button to provide information as soon as possible or an adverse consequence will happen. In this case the adverse consequence is the need to go to a bank agency in a period that many people are avoiding due to the pandemic.
When I looked at the link embedded in the button, to my surprise, there’s a link to a legimit domain with a path suggesting that the server where the website is hosted have been compromised. The link in the button is hxxps://<legitimate_website>/cliente_id/pagina[.]aspx?cliente=<user@email[.]com>.
This link redirects to hxxps://sincronismoitoken[.]link/<random_value>[.]php?cliente=user@email[.]com&<random_very_big_value>. For example purposes, one of random_value was 5kq5llv1x2ko847d1e3qps5s and one of randomm_very_big_value was CG67JC1599129049a01978949159bd1fbf3bd8527644c44ba01978949159bd1fbf3bd8527644c44ba01978949159bd1fbf3bd8527644c44ba01978949159bd1fbf3bd8527644c44ba01978949159bd1fbf3bd8527644c44b but these values changes each time.
This page have a fake Banco Itaú logo with images to impersonate the victim, but none of them have links, they are there just to seems legimit. None of them have links except in the top right, where we can see input texts for the user provide his/her bank agency and account number and a button for the user believe that will access his/her account when click it.
To test what this fake web site do, I fill the agency and account fileds and clicked on the button. The result is a redirect to a screen that shows the message “Initializing secure connection” and after a certain time the text changes to “Verifying the device compatibility”.
These two messages stay changing in a loop. If we look at the traffic, we can see that many requests are made to a file called processa.php passing a GET parameter to a variable r which changes in each request, but the request is a POST. In the traffic we can see too the file seguro.php, which is the page with the fake “verifying device” screen.
Looking at the response of these many processa.php requests, all of them have the same response as we can see in the images below. The top image is the reponse with 200B and the bottom imagem is the response with 496B.
All the requests have the same parameter, which is action=”G”. Some tests was made changing this value to others letters of the alphabet but the result was always the same.
The cookie generated from this website was already observed, it have two variables: the PHPSESSID and other called CookieContador, this second one has the value 1.
Unfortunatelly the page has been down and I didn’t have time to made experiments to look what the random parameters of processa.php, the pages with random names and the cookie variable CookieContador do. But I decided to publish this analysis to show what I discovered so far.
