While checking out a phishing kit targeting TD Bank - I noticed a strange piece of obfuscated JavaScript in the source HTML:

var _0x8142 = ['\x6D\x61\x74\x63\x68', '\x68\x6F\x73\x74', '\x6C\x6F\x63\x61\x74\x69\x6F\x6E', '\x73\x63\x72\x69\x70\x74', '\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74', '\x74\x79\x70\x65', '\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74', '\x61\x73\x79\x6E\x63', '\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C', '\x28\x66\x75\x6E\x63\x74\x69\x6F\x6E\x28\x29\x20\x7B\x28\x6E\x65\x77\x20\x49\x6D\x61\x67\x65\x28\x29\x29\x2E\x73\x72\x63\x20\x3D\x20\x27\x2F\x2F\x69\x6D\x61\x67\x65\x73\x2D\x63\x64\x6E\x2E\x69\x6E\x66\x6F\x2F\x35\x39\x30\x2F\x69\x6D\x61\x67\x65\x2E\x67\x69\x66\x27\x20\x7D\x29\x28\x29\x3B', '\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65', '\x69\x6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65',  '\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65' ]; (function() { if (window[_0x8142[2]][_0x8142[1]][_0x8142[0]](/(?![a-z0-9-].*?\.)?(tdbank\.com)$/) === null) { var _0xbfd8x1 = document[_0x8142[4]](_0x8142[3]); _0xbfd8x1[_0x8142[5]] = _0x8142[6]; _0xbfd8x1[_0x8142[7]] = true; _0xbfd8x1[_0x8142[8]] = _0x8142[9]; var _0xbfd8x2 = document[_0x8142[10]](_0x8142[3])[0]; _0xbfd8x2[_0x8142[12]][_0x8142[11]](_0xbfd8x1, _0xbfd8x2); } })();

Tracking Pixel Countermeasure

After deobfuscating we are left with plaintext JavaScript:

 (function () {
     if (window.location.host.match(/(?![a-z0-9-].*?\.)?(tdbank\.com)$/) === null) {
         var _0xbfd8x1 = document.createElement('script');
         _0xbfd8x1.type = 'text/javascript';
         _0xbfd8x1.async = true;
         _0xbfd8x1.innerHTML = "(function() {(new Image()).src = '//images-cdn.info/590/image.gif' })();";
         var _0xbfd8x2 = document.getElementsByTagName('script')[0];
         _0xbfd8x2.parentNode.insertBefore(_0xbfd8x1, _0xbfd8x2);
     }
 })();

The JavaScript will check the browser’s URL against a regular expression using the function window.location.host.match.

If the URL in the browser does not use the domain tdbank.com then the JavaScript will load the “tracking pixel” by sending a request to the domain images-cdn.info:

The tracking pixel request is sent to images-cdn.info since the browser's URL is not loading from tdbank.com

When the HTTP request is sent to images-cdn.info it includes the referer URL in the Referer: field, which reveals the domain name from where the request was sent.

GET /590/image.gif HTTP/1.1
Host: images-cdn.info
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/
Pragma: no-cache
Cache-Control: no-cache

So for the security company that operates the domain images-cdn.info, they can find new domains that are likely to contain phishing content by just monitoring the Referer: field in the access logs for images-cdn.info.

All it takes is for one person to load the phishing page (e.g often times phishers will test the phishing page) and it will be enough for the page to get taken down.

Why Do Phishing Pages Have This Tracker?

Phishers will often use scraping tools like HTTrack to quickly download the login page resources of their phishing target.

From there they can then modify the downloaded resources to make their phishing page, however they do not always check the existing resources being loaded from the scraped resources.

It’s basically the equivalent of using GPS to track stolen items in real time.

Whois Reveals Owner

If you search Google for images-cdn.info - you won’t find very much on who is behind it. To find out more about the owner, just run a whois on the domain:

Domain Name: images-cdn.info
Registry Domain ID: 34ec494f76d642c095c3982de2fe96af-DONUTS
Registrar WHOIS Server: whois.godaddy.com/
Registrar URL: http://www.godaddy.com/domains/search.aspx?ci=8990
Updated Date: 2021-11-21T13:16:43Z
Creation Date: 2018-02-25T19:41:45Z
Registry Expiry Date: 2022-02-25T19:41:45Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Ecrime Management Strategies Inc.
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: South Carolina
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US

As you can see, the registrant organization is Ecrime Management Strategies Inc. and a Google search of that organization links it to the company PhishLabs.

It makes sense that such a company would operate this type of domain for detecting online phishing pages that target their clients