Phishing with Data URI
Phishing
Phishing is a method of e-mail fraud that is used to gather personal and financial information from the recipients. According to Wikipedia, phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Phishing is an example of a social engineering technique used to deceive users; it exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
See Infosec IQ in action
Data URI
The data URI scheme is a URI (uniform resource identifier) scheme that provides a way to include data in-line in web pages as if they were external resources. It is a form of a file literal or here document. This technique allows normally separate elements such as images and style sheets to be fetched in a single HTTP request rather than multiple HTTP requests, which can be more efficient.
A URI is a string of characters that identifies a resource. The term encompasses the better-known uniform resource locator (URL) and uniform resource name (URN). However, whereas URLs specify the location of a specific network resource and how it should be accessed (i.e., with HTTP, hypertext transfer protocol), URIs are more flexible and can even be used to host the data they "link" to.
Old Method of Phishing
In the old method of phishing, the hacker has two pages; one is a fake page and the other is a PHP file. The fake page looks like the login page of the original website and it has the blocks where the username and password are entered. When a person enters his details, those details are sent to the PHP file. The PHP file is designed in such a way that it creates a new file and stores the username and password in that file, or it can send the username and password to the attacker's email. The two files, i.e., the fake page and the PHP file, need to be uploaded somewhere. When a victim visits the URL and enters his details, the attackers get the username and password from the log file.
Both the fake page and the PHP file need to be uploaded to our server.
We will get results in this format in our log file.
Phishing with Data URI
Using the data URI scheme, it is possible to present media content in a web browser without hosting the actual data on the internet. Data URIs follow this scheme:
data:[<mediatype>][;base64],<data>
<mediatype> means that you can represent any content type (e.g., image/jpeg,text/html, etc.) from the specification that is supported by the web browser.
It also defeats traditional defenses against phishing attacks, such as web filtering and reputation management, because victims don't need to communicate with an attack server to get phished
In this method, when the victim clicks on the hyperlink, he is redirected to the fake page, but our fake page is not hosted anywhere. It is basically made up of data URI, as we discuss later on. This fake page is linked with the PHP file that can handle the data and send the details via mail to the attacker specified by the attacker. The PHP file has to be hosted somewhere.
How Is the Data URI Formed?
The source code of a website is modified by the attacker in such a way that the details of the victim are sent to the PHP file and the PHP file sends the details to the attackers. The source code of the web page is modified and then converted into base 64 format. Here base 64 is optional.
Format of Data URI
How to Perform This Attack
Open the webpage whose phishing page you want to built. Here, as a demonstration, I am using a gmail page. Go to gmail.com, click on view source, then copy all the source code of the page and paste it into notepad or any other editor. Now search for "action" in that code.
Replace the URL there with our script URL uploaded on server. In my example it is http://localhost/gmail/act.php.
Copy the entire code and convert it into base 64 format. You can convert your code to base 64 by using various online tools like http://www.opinionatedgeek.com/dotnet/tools/base64encode/
Copy all the code and paste it in the data URI format.
To test whether it's working or not, copy the whole code and paste it into your browser. Enter your username and password.
You will see the log file is created on the server and you will get the username and password of the victim as shown below.
How to Spread or Send It to Victim
To spread or deliver our phishing page to the victim, we have to use the following JavaScript code.
We can use this script by injecting on the web application through the vulnerabilities like XSS or we can create the HTML file by using this script and sending it to the victim.
Phishing simulations & training
Benefits of Data URI
- Phishing web pages may be more elusive as they are passed around the Internet because phishing no longer requires web hosting of the page.
- We can create the phishing pages more easily. A personalized phishing web page can be created automatically, based on gathered information, and transmitted to one victim only. There is reason to believe that the data URI scheme can provide other unknown attack vectors.
-
It also defeats traditional defenses against phishing attacks, such as web filtering and reputation management, because victims don't need to communicate to an attack server to get phished.
Limitation of Data URI
- It is difficult to inject JavaScript in website.
- Internet Explorer doesn't support data URIs.
Conclusion
We learned a new way of presenting phishing web pages using a rather old, seldom used way to present web content. Using this procedure, there is no clear source of the phishing page and its content, which makes it difficult to trace, monitor the movement, or establish the origin of the web page. Also, we conclude that phishing no longer requires web hosting of the page, so phishing web pages may be more elusive passed around the Internet. They have no established anchor point in the Internet.
References
- http://www.klevjers.com/papers/phishing.pdf
- /spearphishing-a-new-weapon-in-cyber-terrorism/
- en.wikipedia.org/wiki/Phishing
- en.wikipedia.org/wiki/Data_URI_scheme.
In this Series
- Phishing with Data URI
- The best 9 phishing simulators for employee security awareness training (2024)
- Keeping your inbox safe: How to prevent business email compromise
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
