FOCUS MODE

EXTRACT IOC

Threat Research

Curated Intel Threat Report: Multi Platforms Credit Card Information Harvesting Campaign

November 30, 2023May 24, 2024 Securonix

@tas_kmanager), in collaboration with Curated
Intelligence, shared his research on the newly observed method of phishing
utilizing chat functionality in multiple web/mobile applications. Furthermore,
he is able to link this campaign to other similar campaigns based on the shared
TTPs and IoCs.

Figure
1– The Chat Message

The message itself came from the official
account of the hotel merchant, Tas has contacted them before via this method to
inquiry information about the hotel room. The message was letting the guests
know that they are required to enter their information in an online form, with
the premise of combating stolen credit card fraud (the irony!)

As per usual phishing TTP, the threat actor
was using urgent and threatening language, such as “THE PROCEDURE IS
MANDATORY” and “it will remain active for 12 hours until your booking is
confirmed” Another interesting thing to mention is that the threat actor
does know the hotel where the guests are staying, the time of their stays, the
reservation ID (being used in the phishing link). Thanks to all the information
above and the fact that the message was coming from the hotel merchant account,
this phishing message almost fooled Tas. The biggest red flag that saved him is
the unusual phishing URL, and a major typo in the phishing domain. 

Figure
2 – “Your Selection” Page

The fake Booking website is resembling the
legitimate Booking website while also containing the right information related
to the guests’ booking, such as:

• Hotel name
• Hotel address
• Hotel image (sometimes it’s a
  screenshot of the hotel page in the Booking app, not the hotel itself)
• Check-in date
• Check-out date
• Price (sometimes in the wrong
  currency)
• First and last name (came
  prepopulated and can’t be changed)

To proceed to the next page, the guest must
add a phone number. There is a phone number checking mechanism applied in this
page. Once added, we will be taken to the “Your Details” page. See the
screenshot below. Interestingly, the fake Booking website has a support chat
functionality (blue chat icon on the bottom right), which does not exist in the
legitimate website.

Figure
3 – “Your Details” Page

Similarly, to the previous page, there are
also multiple checking mechanisms in “Your Details” page. Primarily to verify
credit card information, such as card number, expiry date and CVC number. Once
the guest entered an acceptable credit card information, we will be redirected
to this loading page and the guest data will be forwarded to their controlled
server.

Figure
4 – Processing Page

This page will either display a successful transaction
message or additional error messages, that we will look deeper in the next
section.

Figure
5 – Legitimate Booking Website Code

 Figure
6 – Phishing Website Code

Figure
7 – Legitimate Booking Website Phone Section Code

Figure
8 – Phishing Page Phone Section Code

More to that, on the “Your Details” page
where the victims are asked to provide credit card information, there are
script snippets added to the end of the HTML Code that function as credit card
information submission function. It can be observed that the Threat Actor
cannot keep certain comment to themselves.

Figure
9 – Credit Card Submission Function

Even more interesting, the Threat Actor are
considering numerous scenarios that could happen with the Credit Card
transaction and have created multiple functions to catch these scenarios, here
are some of the scenarios they have planned:

• The user is utilizing multi
  factor authentication (SMS Code, Application Code, etc.).
• The user is hitting transaction
  limit.
• The user is not having the
  minimum amount of money on their account.
• The user is not using 3D-Secure
  authentication.
• The user online payment is
  disabled.
• The user transaction is blocked
  by Geolocation blocking.
• The user is using other banks
  that the Threat Actor is not aware of.

Figure
10 – User Scenarios Function

The Threat Actor then will display
different messages for each scenario, instructing the victims on how to make
sure the transaction will go through successfully.

Figure
11 – User Scenarios Response

One function is also able to request SMS
code from the victim and submit the code automatically to the Threat Actor
server where it will perform the MFA bypass. Note that there is a comment
containing “pluxurydarklord”, likely the alias of the creator of the
function or the script. The SMS code is passed utilizing the Axios post
request.

Figure
12 – SMS Code Handling Function

Digging
deeper into the submit.js code, we are seeing lot of capture and verification
functions to support data collection of the victim.  Below are the functions to verify email
address and phone number.

The threat actor took precautions to ensure
that the victim entered valid credit card details, including the credit card
number, expiration date, and CVV number. Below is the function that employs
custom regex patterns to validate various recognized credit card formats.

Finally,
within the submit.js code, there are intriguing comment lines at the beginning
of the code within the phone-inputs-wrapper. Upon closer examination, it was
revealed that these comments appeared unusual due to encoding issues when
transitioning between the Russian Cyrillic and English language systems.

Figure
16 – Interesting Comment Lines

After fixing the encoding, the comments are
indeed written in Cyrillic:

// Получаем текущее значение в поле ввода

var inputValue = input.value;

// Используем регулярное выражение для удаления всех символов, кроме
цифр

var numericValue = inputValue.replace(/[^0-9]/g, “”);

// Обновляем значение в поле ввода только цифрами

input.value = numericValue;

The comments are translated to:

// Get the current value in the input field

var inputValue = input.value;

 // Use a regular expression to remove all characters except for
digits

var numericValue = inputValue.replace(/[^0-9]/g, “”);

 // Update the value in the input field with digits only

input.value = numericValue;

The code is
likely written in the systems with Cyrillic encoding system.

Perception
Point researchers already did the investigation to answer the question.

What’s absent from this campaign’s
narrative is that hotels became targets of InfoStealer malware, delivered
through phishing URLs in emails disguised as messages from hotel customers. As
a result of successfully harvesting official Booking account credentials, the
threat actor gains the capability to access valuable customer information. This
includes full names, booking dates, specific hotel information, and partial
payment details that were employed to secure reservations on the platform.

Perception Point’s assessment indicates
that numerous hotels and resorts have become victims of InfoStealer attacks,
resulting in thousands of individuals having their credit card information
compromised on a global scale.