Over time, there is a natural tendency towards attack complexity as defensive countermeasures improve. The Easy Solutions DMS team is focused on attack detection and removal on behalf of our clients, and we have monitored this trend for years. Recently we’re detected a resurgence in an attack type called Data URI phishing.
The attack fits the usual phishing pattern: it starts with an unsolicited email, though other delivery vehicles work just as well—social media as well as links left in forums or within comments. The links require the use of a link shortener, such as bit.ly, tinyurl, or Goo.gl.
Free eBook: Modern Retail Security Risk – Get your copy now.
When a victim clicks on these links, the link shortener translates the short URL to a format that appears to be somewhat unique and relatively obscure to a normal web user:
This URL is actually an implementation of the Data URI specification first standardized by the IETF in 1998 to allow for the inline transmission of various media types via an arbitrary base64 encoded string. This is another example of web browser features designed for good being misappropriated for evil. We have blogged about PAC (proxy autoconfig) attacks previously.
Data URI phishing attacks embed an entire fake phishing page and HTML source code into a long base64-encoded string that is rendered by the browser. Interestingly enough, none of the elements on the fake page are hosted on a server owned by the fraudster except for a single URL where credentials are sent via a HTTP POST. Instead they are being taken from the bank’s legitimate website.
These attacks have been reported before, and we believe the first public reference to this attack was published in late 2012 by Henning Klevjer (See it here: http://klevjers.com/papers/phishing.pdf). Our DMS team has started to see this attacks target large US banks. The attack is novel and interesting for a few reasons:
– Data URI attacks are relatively easy to scale with the use of free link shortening services.
– Data URI attacks are relatively easy to automate.
– Data URI attacks are not “hosted” in the typical sense, so they cannot be blacklisted.
All of this leads to an effective attack vector that is more resistant to automatic detection and rapid attack deactivation/takedown. We expect that if and when these attacks become more popular against high-profile targets, the browser vendors will begin to introduce controls to make these attacks less effective. This is easier said than done due to potential adverse consequences in limiting the functionality of standardized Data URI capabilities within modern browsers.
Additionally, if this attack gains widespread, acceptance as a phishing attack vector of choice, we expect to see these attacks target enterprise users as part of spear-phishing campaigns. Enterprise users are especially vulnerable to spear-phishing, for traditional URL-based blacklisting that many enterprise email filtering technologies rely upon are not effective against Data URI attacks.
By Alvaro Roldan, Online Fraud Specialist, Easy Solutions
About Easy Solutions
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.