Closed benjibrown closed 1 year ago
Paypal has added some detections based on the domain name. Had tested it on localhost by using paypal[.]com as evilginx domain and it was working fine.
So the detection are most probably based on domain name, i am still not able to figure it out.
Check if any of the below stuff helps, this is what i was able to find in 2-3 hours of work. May help you if you wants to patch the phishlet.
# PATCH 2
## Google recaptcha
# https://www.paypalobjects.com:443 = aHR0cHM6Ly93d3cucGF5cGFsb2JqZWN0cy5jb206NDQz
# PATCH 3
# https://www.paypalobjects.com/web/res/0a4/f8d65c4baa5f02c4e59e7ccc8f389/js/lib/modernizr-2.6.1.js
# https://www.paypalobjects.com/web/res/0a4/f8d65c4baa5f02c4e59e7ccc8f389/js/ioc.js
# https://www.paypalobjects.com/pa/js/min/pa.js
# PATCH 4 (Detecting Domain name)
# Common methods are
# document.location
# window.location
# document.domain
# location.host
# paypal\.com (regex based search in source code)
#
# document.getElementById("btnNext").baseURI
# var paypalDomainRegex = /\.(paypal|venmo|paypalobjects)\.com(:[\d]{1,5})?$/ig;
# var paypalDomainRegex = /\.(paypal|venmo|paypalobjects)\.com(:[\d]{1,5})?$/ig; domain="www.paypal.com";
# function isPayPalDomain(domain) {
# var paypalDomainRegex = /\.(paypal|venmo|paypalobjects)\.com(:[\d]{1,5})?$/ig;
# return paypalDomainRegex.test(domain);
# }
# PATCH 5
# in pa.js file
# var p=window.location&&window.location.hostname||"",t="https://objects.paypal.com",e="corp",F="https://t.paypal.com/ts",s="",U=".paypal.com",M=/\.(paypal(inc|corp))\.com$/i,B=(!s&&M.test(p)&&(s=e),/\.cn$/);
# var p="www.paypal.com",t="https://www.paypalobjects.com",e="corp",F="https://t.paypal.com/ts",s="",U=".paypal.com",M=/\.(paypal(inc|corp))\.com$/i,B=(!s&&M.test(p)&&(s=e),/\.cn$/);
# function z() {
# return !s &&
# B.test(p)
# }
# !function () {
# 'use strict';
# var p = window.location &&
# window.location.hostname ||
# '',
# t = 'https://objects.paypalobjects.com',
# e = 'corp',
# F = 'https://t.paypal.com/ts',
# s = '',
# U = '.paypal.com',
# M = /\.(paypal(inc|corp))\.com$/i,
# B = (!s && M.test(p) && (s = e), /\.cn$/);
# function z() {
# return !s &&
# B.test(p)
# }
# z() &&
# (
# t = 'https://objects.paypal.cn',
# F = 'https://t.paypal.cn/ts',
# U = '.paypal.cn'
# );
# PATCH 6
# in pa.js file
# var Oe={pp:/\.paypal\.com$/,ql:Y.all,all:Q};
# var Oe = {
# pp: /\.paypal\.com$/,
# ql: Y.all,
# all: Q
# };
# PATCH 7
# Possibly some js code is waiting for all the resources to get load before redirection
# window.onload = function() { // All resources are loaded };
# document.addEventListener('DOMContentLoaded', callback)
# document.readyState
#
# PATCH 8
# Suspicious js files
# signin-split.js
The error I am receiving is as follows: "2023/08/11 18:18:38 [005] WARN: Cannot handshake client t.paypal.com EOF" upon my lure link being opened.
I've checked out t.paypal.com and its just a 404 page now. Is this phishlet outdated?