Most spam email you get is very poorly executed and relativly easy to spot, but some are well crafted.
For example would you click on hxxp://paypal.com-gb.org/home ?
It’s not immediately obvious that the domain name is com-gb.org.
Upon visiting the phishing page it makes use of AES 256 to decrypt the phishing page content. Making it very hard to do static anaysis to determine if the site is a phishing website. This is done by dercypting the page and then writing it out with document.write(). Below is an example from http://www.movable-type.co.uk/scripts/aes.html which is being used by the phishing page.
<!DOCTYPE html> <head> <script src='https://raw.githubusercontent.com/chrisveness/crypto/master/aes.js'></script> <script src='https://raw.githubusercontent.com/chrisveness/crypto/master/aes-ctr.js'></script> <script> var password = 'L0ck it up saf3'; var plaintext = '<h1>awww yeaaah</h1>'; var ciphertext = Aes.Ctr.encrypt(plaintext, password, 256); alert(ciphertext); var origtext = Aes.Ctr.decrypt(ciphertext, password, 256); document.write(origtext) </script> </head></html>
The phishing page looks like :
<script src='base/js/hea2.js'></script> // AES Libary <script> var hea2p = ('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); //This is the password, not sure why it's a charset.. var hea2t = 'fwH2rmnTLlRpex'; // This has been snipped because it's long var output = Aes.Ctr.decrypt(hea2t, hea2p, 256); document.write(output) </script>
Here is a fiddle of the actual phishing page http://jsfiddle.net/4550gq9p/