Phishing without a webpage - researcher reveals how a link *itself* can be malicious

Filed Under: Data loss, Featured, Phishing, Privacy, Vulnerability

The need for a reliable place to host your malicious website has been the bane of phishers for much of the last decade.

But, no longer.

Web browser, courtesy of ShutterstockA researcher at the University of Oslo in Norway says that page-less phishing and other untraceable attacks may be possible, using a tried and true internet communications standard: the uniform resource identifier, or URI.

Henning Klevjer, an information security student at the University of Oslo in Norway, suggests in a just-released research paper that it may be possible for attackers to dispense with phishing sites altogether, embedding their entire scam webpage in an encoded data URI that can be passed around from victim to victim.

URIs are strings of characters that identify a resource. The term encompasses the better-known Uniform Resource Locator (URL) and uniform resource name (URN). However, whereas URLs specify the location of a specific network resource and how it should be accessed (i.e. with HTTP, HyperText Transfer Protocol), URIs are more flexible and can even be used to host the data they “link” to.

Klevjer's paper, "Phishing by data URI" [PDF], suggests ways that the malleability of the URI could be used to mask malicious content.

For example, an attacker could create a stand-alone phishing webpage using images and content pinched from a legitimate site, then embedded in the external document. They could then encode the page’s content in Base64 to mask its meaning to the intended victim, and then append the encoded page into a data URI.

The encoded URI will be long and forbidding looking, but assuming it doesn’t exceed the maximum URL length of a browser, it can be rendered. And, Klevjer’s paper points out, the widespread use of URL shortening services makes it easy for the attacker to mask the hefty URL and circulate it to victims via social networks like Twitter and Facebook, or via e-mail and IM.

In his paper, Klevjer was able to shrink a 24,682 character URI representing a Wikipedia login “phishing” page to just 26 characters using a URL shortening service.

Fake Wikipedia page

The intention is that victims who receive the link will click on it, launching their web browser. Every modern browser supports the legacy URI scheme and will render the encoded URI as a page in the victim's browser.

The URI-attack method isn’t new. In 2007, researchers Billy "BK" Rios and Nathan McFeters explored similar attacks against Microsoft’s IE6 and IE7 browsers that exploited both documented and undocumented functionality for handling URIs.

The use of URIs creates the possibility that sophisticated attackers could begin circulating individualized phishing pages to small numbers of victims.

It also defeats traditional defenses against phishing attacks, such as web filtering and reputation management, because victims wouldn’t need to communicate out to an attack server to get phished, Klevjer argues.

And the method isn't limited to phishing attacks. Klevjer wrote in an email to Naked Security that fellow Norwegian security researcher Per Thorsheim had pointed out that a data URI could also contain a (compromised) Java applet - worth bearing in mind considering the scare this week about Java zero-day vulnerabilities.

Writing on the SANS blog, Johannes Ullrich points out that attackers would still need to manage some backend infrastructure to receive data stolen in the attack.

Goldfish in bowl, courtesy of ShutterstockHowever, he says that sophisticated attackers could also sneak the phished data out using a specially-crafted DNS request that would transfer the sniffed login credentials to the log file of a remote system.

Klevjer said the URI attack method could gain adherents among sophisticated attackers who are looking for a way around traffic and reputation monitoring and filtering systems. He said it also raises important questions about who “owns” the malicious data used in a URI based attack.

If URL shorteners are used, for example, the malicious content is now located within a link. Kelvjer told Naked Security:

“This fact transfers liability to the URL shortening services hosting the redirection”

There are caveats, of course. Klevjer points out that Google’s Chrome browser blocks redirection to data URIs, whereas other browsers have set ceilings on the amount of data that can be packed into a URI or URL. IE9 refused to load his sample attack page, which weighed in at 26KB.

Still, both the Firefox and Opera browsers did.

Goldfish in bowl and web browser images, courtesy of Shutterstock

, , , , , , ,

You might like

13 Responses to Phishing without a webpage - researcher reveals how a link *itself* can be malicious

  1. Frank · 597 days ago

    This is old, i've seen attacks like this in the wild. I think there is even a tool to convert html into a data URI.

  2. wzrd1 · 597 days ago

    This has already been exploited in the wild. The payload being base64 encoded malware scripts embedded in either forged websites linked in html mail or a modified real website in the mail with the hostile code base64 encoded.
    I've personally gotten a few, which I dissected in a virtual machine.

  3. lowerarchy · 597 days ago

    thanks for this

  4. Alison Classe · 597 days ago

    Would you consider publicising this other potential phishing problem please http://answers.microsoft.com/en-us/windowslive/fo... as it sounds as if it could do a lot of damage?

  5. James Coleman · 597 days ago

    He's a Klevjer boy.

  6. John · 597 days ago

    Gee, if I were a hacker you have given me some ideas to explore...

  7. Anonymous · 596 days ago

    I tryed to check this out but I've got an error message from noscript about a se attack.
    You can disable this behavior if you really want to, but by default noscript is protecting you.
    Maybe you should add this to the articel since not everybody is reading the comments.

  8. doggie015 · 594 days ago

    "Your password is correct horse battery staple" I see what you did there!

    For reference see http://xkcd.com/936/

  9. Wojtek · 593 days ago

    So if most of the browsers block malicious URIs why would someone waste time researching an outdated attack???

  10. Mats Svensson · 593 days ago

    So "researcher reveals how a link *itself* can be malicious"?

    Really?

    And this guy writes about this, and couldn't be bothered to take 5 minutes to put a working clickable example-link online somewhere?

    Its the usual "Hackers can write a virus that makes your computer explode!!!!"-BS

  11. Mats Svensson · 593 days ago

    So "researcher reveals how a link *itself* can be malicious"?

    Really?

    And this guy writes about this, and couldn't be bothered to take 5 minutes to put a working clickable example-link online somewhere?

    Its the usual "Hackers can write a virus that makes your computer explode!!!!"-BS

    • Graham Cluley · 593 days ago

      Read his paper - he gives a working fake Wikipedia example.

  12. @gialloporpora · 591 days ago

    For this reason I don't agree with browser's developer that have removed protocol in urlbar.
    I have made this little style to use with Stylish for Firefox to color the urlbar in red on data link: http://userstyles.org/styles/72276/urlbar-red-bac...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.