How Fake Investment Websites Use JavaScript to Trick You – A Real-World Case Study

 




Link - https://www.dropbox.com/scl/fo/7ar0jqgp292g4l0nci6ha/AHwOspBuwbRa2ospNbryRIs?rlkey=3qgzoghd8sqn5ld1s4hc207y5&st=9ugfphtl&dl=0

------------------------------------------------------

analysis of file 21-5-25(b).txt 

# Threat Category Detection Status Details / Notes
1 Obfuscated JavaScript ❌ Not Detected Code is mostly readable, no eval/unescape patterns found.
2 Malicious Patterns ✅ Detected Fake investment pitch, unrealistic profits, urgency cues, impersonation of public figures and agencies.
3 Auto-Download Triggers ❌ Not Detected No automatic file downloads or forced downloads observed.
4 Fake Login Forms ✅ Detected Embedded iframe-based form impersonates legitimate financial platforms.
5 Suspicious Form Actions ✅ Detected Form submits data to shady third-party domain whiteelephantmedia.info.
6 Hidden Redirects ✅ Detected JavaScript rewrites all links with query parameters dynamically; potential redirection mechanism.
7 Encoded URL Decoding ⚠️ Partial Parameters like subid, token, and pixel are dynamically set; not deeply encoded but obfuscated intent.
8 External Script Calls ✅ Detected Facebook Pixel, Google Tag Manager, and JS from suspicious CDN (whiteelephantmedia.info).
9 Misused CDN or Hosting ✅ Detected Uses third-party CDN-style host to load potentially malicious scripts and form content.
10 Keylogging Scripts ❌ Not Detected No key event tracking observed in current script.
11 Session or Cookie Theft Attempts ⚠️ Suspicious Use Collects device info via localStorage and cookies, but no clear theft detected.
12 Tracking Beacons or Pixels ✅ Detected Facebook tracking pixel with fallback 1x1 image tag for no-JS environments.
13 De-obfuscation of Code ❌ Not Required Code is readable and doesn't require unpacking.
14 Minified JavaScript Expansion ❌ Not Required Scripts are already expanded or inline.
15 Device Fingerprinting Scripts ✅ Detected Checks for device type via navigator.userAgent and stores in localStorage.
16 Browser Exploit Code ❌ Not Detected No deprecated or exploitative browser APIs used.
17 Inline Event Abuses ✅ Detected Uses onclick and scroll triggers to focus user on registration form.
18 Permission Abuse ❌ Not Detected No access to camera, mic, clipboard, or geolocation.
19 Hidden or Invisible Elements ✅ Detected Comments and red-box elements used to simulate urgency and legitimacy.
20 Fake UI Overlays ✅ Detected Entire site mimics The Indian Express interface but is a fake clone.

🧾 Summary:

  • Threat Level: 🔴 High

  • Type: Phishing / Financial Scam

  • Primary Risk: Data theft and fraud via deceptive form and UI.


=====================================================================

security and threat analysis of the file 21-5-25(b).txt,

🔍 Checklist-Based Threat Analysis

1. Obfuscated JavaScript

  • Obfuscation Not Detected – The code is readable and mostly plain. However, some patterns in dynamic param generation (subid, token) are suspicious.

2. Malicious Patterns

  • Detected – Common traits of scams/phishing:

    • Misusing trusted names (e.g. Anand Mahindra, RBI, Infosys).

    • Unrealistic returns and fake testimonials.

    • Social engineering pressure ("964 spots remaining", "register now").

3. Auto-Download Triggers

  • Not Detected – No evidence of scripts forcing downloads.

4. Fake Login Forms

  • Detected – There's a form embedded via iframe that resembles legitimate platforms but is hosted on whiteelephantmedia.info, a suspicious domain.

5. Suspicious Form Actions

  • Detected – Data from the form is submitted to a non-trusted, third-party domain with dynamic query strings (high risk of phishing/data theft).

6. Hidden Redirects

  • Detected – The page modifies all anchor (<a>) tags via JavaScript to append tracking and token parameters. While not hidden, it manipulates links in suspicious ways.

7. Encoded URL Decoding

  • ⚠️ Partially Detected – Obfuscation is light, but query params like token, pixel, and dynamic subIDs are injected in a way that's potentially misleading.

8. External Script Calls

  • Detected

    • Facebook Pixel: connect.facebook.net/fbevents.js

    • Google Tag Manager

    • jQuery from suspicious CDNs like whiteelephantmedia.info

    • These allow extensive tracking and possibly cross-site scripting.

9. Misused CDN or Hosting

  • Detected – Uses whiteelephantmedia.info and CDN-style paths to serve tracking and potentially malicious JS.

10. Keylogging Scripts

  • Not Detected – No direct evidence of keylogging in current scripts.

11. Session or Cookie Theft Attempts

  • ⚠️ Suspicious Use – Cookies and localStorage used to store device, referrer, and user-agent data. Not outright theft, but ripe for profiling or tracking.

12. Tracking Beacons or Pixels

  • Detected

    • Facebook Pixel.

    • 1x1 <img> fallback for tracking even when JavaScript is disabled.

13. De-obfuscation of Code

  • ❌ Not needed – code is readable, no encryption/packing found.

14. Minified JavaScript Expansion

  • ❌ Not applicable – inline JS is already unminified.

15. Device Fingerprinting Scripts

  • ✅ Detected – Uses navigator.userAgent, localStorage, and device type inference (e.g., checking for iPhone) to tailor tracking.

16. Browser Exploit Code

  • ❌ Not Detected – No usage of deprecated/dangerous APIs like document.write(eval(...)), ActiveXObject, etc.

17. Inline Event Abuses

  • ✅ Detected – Extensive use of onclick, jQuery event hooks, and scroll manipulation to force user focus on forms.

18. Permission Abuse

  • ❌ Not Detected – No evidence of accessing camera, microphone, or clipboard.

19. Hidden or Invisible Elements

  • ✅ Detected – Fake comment sections, highly stylized containers (red boxes, attention banners) used for social engineering.

20. Fake UI Overlays

  • ✅ Detected – Appears like a news article from The Indian Express, but all content is fabricated. This is a classic fake UI overlay scam page.

🚨 Conclusion: HIGH RISK / SCAM PAGE

  • This webpage is not legitimate and likely constitutes a phishing or financial scam.

  • It impersonates real institutions (RBI, Infosys, Mahindra) and spoofs a reputable news site.

  • It uses deceptive layout, emotional triggers, manipulative testimonials, and external scripts to harvest data and possibly initiate fraud.

Recommended Actions


Comments

Post a Comment

Popular posts from this blog

Differences Between Ubuntu 24.04.2 LTS and Ubuntu 25.04

Differences Between Ubuntu 24.04.2 LTS and Ubuntu 25.04 Ubuntu 24.04.2 LTS is part of the Ubuntu 24.04 LTS series , and it will be the second point release in that LTS series. As an LTS release, Ubuntu 24.04.2 will receive long-term support for 5 years, ensuring stability, security updates, and backports of important features throughout its support lifecycle (up to 2034). Key Features of Ubuntu 24.04.2 LTS (Desktop & Server) : LTS Support : Full support for 5 years (until 2029) with extended support for 5 more years (until 2034). GNOME 44 : Modern, polished desktop environment with features like Wayland improvements, better multi-monitor support, and increased performance. Linux Kernel 6.x : Enhanced hardware support, including support for newer CPUs, GPUs, and other devices. Security Enhancements : Updates for AppArmor , SELinux , and automatic security updates to ensure the system remains secure over time. Cloud & Server Features : Improved support fo...
Read more

Kapardak Bhasma: A Comprehensive Review and use

Image
cowrie shells Kapardak Bhasma: A Comprehensive Review Introduction Kapardak Bhasma, also known as Kapardika Bhasma, is an Ayurvedic calcined preparation obtained from cowrie shells ( Cypraea moneta Linn. ). It is a well-documented mineral formulation used in Ayurvedic medicine for treating various ailments, particularly digestive disorders, respiratory conditions, and metabolic imbalances. Kapardak Bhasma is classified under Sudha Varga , a group of medicinal substances derived from marine sources. Sources and Identification Kapardak (cowrie shell) is a small, glossy, convoluted shell found in marine environments. It comes in various sizes and colors and has been traditionally used in Ayurveda for its medicinal properties. According to classical Ayurvedic texts, Kapardak is categorized into three varieties based on weight: Sardha Niska (4.5 gm) – Superior quality Niska (3 gm) – Medium quality Padona Niska (2.5 gm) – Inferior quality Preparation of Kapardak Bhasma The preparation of Ka...
Read more

Vanga Bhasma: A Traditional Ayurvedic Metallic Formulation and use

Image
Raw Tin Vanga Bhasma: A Traditional Ayurvedic Metallic Formulation Introduction Vanga Bhasma is a well-known Ayurvedic preparation made from tin (Vanga). It has been extensively used in traditional medicine for treating various ailments, including diabetes, respiratory issues, genitourinary disorders, and digestive problems. The preparation of Vanga Bhasma follows rigorous purification and incineration methods to ensure safety and efficacy. Preparation of Vanga Bhasma The preparation of Vanga Bhasma involves the following key steps: Shodhana (Purification) : Raw tin is purified using herbal extracts such as lemon juice or other acidic mediums. The process removes impurities and enhances the bioavailability of the metal. Marana (Incineration Process) : The purified tin is triturated with herbal ingredients and subjected to controlled heating cycles (Puta system). This process converts tin into a fine, bio-absorbable ash. Analytical Standardization : Modern techniques such as X-ray dif...
Read more