Utilising Data URI’s Functionality For Phishing Attempts

January 18, 2016

Remember a time where people said you should look at the address bar to verify whether or not it’s a phishing attempt? A friend of mine recently got an email which is fairly interesting to me. This attack provides a decent amount of SE to make a user think it’s a legit, correct, the green “padlock” isn’t there, but google.com is.

phishing

It all started with a email which looked to be fairly normal, the one problem with it is ofcourse is the Google attachment. I don’t use Google as a provider for this email and so having a Roundcube email client and Google attachment doesn’t work out. The attackers are just taking into account the majority of people will be using Google accounts and so it’s worth making something look like this.

aThe problem is that it’s an image and it goes to somewhere which isn’t Google, I can see this by viewing the source of the email.

bThe URL is redirected twice until it reaches its destination, pretty common with phishing attacks most likely so they can dynamically redirect if a site is reported on and falls down. The code here refreshes and uses the data: functionality that browsers have available. There are spaces from the google.com text to the <script> tags, this is to ensure that the browser shows only the Google text in the URL bar, making it deceptive to most people. The text in the URL isn’t actually the location, but infact code itself.

cThe phishers use a very simple Javascript obfuscator for their code, replacing eval with alert will provide you a insight into the code they have made. The obfuscator itself also shows the strings so you can almost guess without deobfuscating what’s going on. Poor show boys.

dFinally the code is resolved as a simple iframe which simply copies the Google code and ensures it’s sent to 1.php, a fairly normal name for a form phishing attribute, they are usually very lazy.

eThe final result? You’ve already seen it but it’s rather convincing to a person who isn’t to confident with computers. Maybe we need to have a look at modifying how data URI’s are used. Here’s a video showing it live.