Category: Phishing


A smart man named Henning Klevjer recently discovered a new phishing technique. In which all sites can be hidden in a single link.

Before, phishing was contained on servers on the internet. Utilizing URIs, you do not need a server to make a phish site.

In this article, we will examine the method in which URI is received, implantation, sharing, and how antiviruses must react. This article is divided into 8 parts.

 

Part 1: Understanding The URI

Using the data URI scheme it is possible to present media content in a web browser without hosting the actual data on the internet. Data URIs follow this scheme: data:[<mediatype>][;base64],<data> [1]

So the general syntax would be data:[<metatype>][;base64],<data>

The mediatype is a MIME type string, such as “image/jpeg” for a JPEG image file. If omitted, defaults to text/plain;charset=US-ASCII

If the data is textual, you can simply embed the text (using the appropriate entities or escapes based on the enclosing document’s type). Otherwise, you can specify base64 to embed base64-encoded binary data. [3]

Ok, we want text/html or text/javascript. And the other part is base64. So our code so far looks like this:

data:text/html;base64,<data> where <data> is our base64 encoded string.

 

Part 2: Generating The Phish Page

This is when you would, like any other regular phish page, attempt to replicate as much of the website itself as possible without having to use a high amount of scripts. This can be done via using external stylesheets. For this test, we will use a basic javascript function.

<html><head><script>alert(‘test’)</script></head></html>

 

Part 3: Obfuscation Using Base64

Next, we will use a tool called Base64 Online [4] to obfuscate our code.

PGh0bWw+PGhlYWQ+PHNjcmlwdD5hbGVydCgndGVzdCcpPC9zY3JpcHQ+PC9oZWFkPjwvaHRtbD4=

 

Part 4: Implantation In The Browser

So now, the full code is:

data:text/html;base64,PGh0bWw+PGhlYWQ+PHNjcmlwdD5hbGVydCgndGVzdCcpPC9zY3JpcHQ+PC9oZWFkPjwvaHRtbD4=

Enter that in your browser and give it a try! You should be greeted with an alert box.

 

Part 5: Implantation On A Website

So now what we do is take our code and put it in a hidden iframe:

<iframe src=”data:text/html;base64,PGh0bWw+PGhlYWQ+PHNjcmlwdD5hbGVydCgndGVzdCcpPC9zY3JpcHQ+PC9oZWFkPjwvaHRtbD4=” width=0 height=0>​​​​​​​​​​​​

Check out the jsFiddle [5].

 

Part 6: Sharing The Payload

Generally, it’s easier to make your own link than to infect other sites, so how do we share a long url without making it look suspicious? Why TinyURL [6] of course!

TinyURL handles our code! [6]

Note that Google Chrome has a built-in feature that detects redirects such as this and prevents connection. However, if the user attempts to reload the page, the error doesn’t occur a second time. Note that this safety feature does not work with previous examples.

 

Part 7: How Antiviruses Must React (Conclusion)

Due to the nature that these links are not really ‘sites’, they don’t have IPs, which means you can’t blacklist them. This means that website heuristics is a must, and any suspicious elements found must be reported accordingly. Lets develop a ‘rough-draft’ of how we want to protect our users. I will use a mix of Lua and JavaScript as well as english.

If document.contains “data” then

If typeof data is script then

— Deobfuscate Base64 & Signature Check, if fails:

— Heuristics, if fails:

— Sandbox

end

end

 

Part 8: Resources

http://klevjers.com/papers/phishing.pdf [1]

http://www.idg.no/computerworld/article251936.ece [2]

https://developer.mozilla.org/en-US/docs/data_URIs [3]

http://www.motobit.com/util/base64-decoder-encoder.asp [4]

http://jsfiddle.net/ [5]

http://tinyurl.com/ [6]

 

Stay Safe,

~!Donovan

Advertisements
Official jQuery.org Site

Official jQuery.org Site

The popular javascript library, jQuery, has got a new twin, namely jQuerys. Found on the site mentioned in this avast! topic, lets examine it together. The results of JSunpackshow the link, but its marked as benign. Why is that?

jQuerys Benign On JSunpack

jQuerys Benign On JSunpack

Bingo! Getting the content of the script shows a conditional redirect.

jQuerys' Redirect Algorithm

jQuerys’ Redirect Algorithm

This is how it came directly from the Get request. You can see that it wasn’t obfuscated in any way. With a glance, we can immediately tell that it trys to get a cookie called _js_rd, probably a shortened version of javascript redirect, wanting the cookie to not exist. It then checks if the math.random() javascript function returns a value thats less than 0.05. In other words, its a 5% chance that you will receive the redirect. It then creates a cookie so if you already received the redirect you cannot do so again. Finally, it changes the browser’s location (aka redirects) to a downloadmusicfreenow site. What do we have there? Check out the urlQuery results. First thing we notice is the alert ET RBN Known Russian Business Network IP (412). Further down are various evals that do things such as browser spoofing, obfuscated strings, ads, and more. Lets send this redirect javascript (that we recieved fully beautified) to VirusTotal to see if any detect.

jQuerys Results From VirusTotal

jQuerys Results From VirusTotal

1/41..

Stay Safe,
~!Donovan