As the white paper is practical in orientation, it contains code snippets as well as relevant technical explanations. A section of the white paper consists of a Brief Overview of the Obfuscated Code. This examines ten components responsible for running the script. Each is displayed and explained. This allows readers to easily jump from each of these obfuscated code snippets to its deobfuscated counterpart.
The next section, Cleaning up the Code, renames some variables and moves some array keys in order set the groundwork for deobfuscation. Ten instances of obfuscated code are repeated in partially deobfuscated form. Deobfuscation remains incomplete, however, until the next sections of the white paper.
After discovering how the script works, the white paper shows how the phishing page worked and a similar phishing page is created with little effort. Finally, the white paper asks What Can We Learn? and offers some practical advice for avoiding this kind of phishing attack. It concludes with Further Reading suggestions.
Why not take a look for yourself? Check out the detail of what code and tactics malicious hackers used, manipulating arrays, functions, loops and variables, to deceive web users into thinking they were using a popup on one website, when in fact they were redirected to a cleverly disguised HTML element of another website.