Phishing without a webpage – researcher reveals how a link *itself* can be malicious

The need for a reliable place to host your malicious website has been the bane of phishers for much of the last decade.

But, no longer.

A researcher at the University of Oslo in Norway says that page-less phishing and other untraceable attacks may be possible, using a tried and true internet communications standard: the uniform resource identifier, or URI.

Henning Klevjer, an information security student at the University of Oslo in Norway, suggests in a just-released research paper that it may be possible for attackers to dispense with phishing sites altogether, embedding their entire scam webpage in an encoded data URI that can be passed around from victim to victim.

URIs are strings of characters that identify a resource. The term encompasses the better-known Uniform Resource Locator (URL) and uniform resource name (URN). However, whereas URLs specify the location of a specific network resource and how it should be accessed (i.e. with HTTP, HyperText Transfer Protocol), URIs are more flexible and can even be used to host the data they “link” to.

Klevjer’s paper, “Phishing by data URI” [PDF], suggests ways that the malleability of the URI could be used to mask malicious content.

For example, an attacker could create a stand-alone phishing webpage using images and content pinched from a legitimate site, then embedded in the external document. They could then encode the page’s content in Base64 to mask its meaning to the intended victim, and then append the encoded page into a data URI.

The encoded URI will be long and forbidding looking, but assuming it doesn’t exceed the maximum URL length of a browser, it can be rendered. And, Klevjer’s paper points out, the widespread use of URL shortening services makes it easy for the attacker to mask the hefty URL and circulate it to victims via social networks like Twitter and Facebook, or via e-mail and IM.

In his paper, Klevjer was able to shrink a 24,682 character URI representing a Wikipedia login “phishing” page to just 26 characters using a URL shortening service.

The intention is that victims who receive the link will click on it, launching their web browser. Every modern browser supports the legacy URI scheme and will render the encoded URI as a page in the victim’s browser.

The URI-attack method isn’t new. In 2007, researchers Billy “BK” Rios and Nathan McFeters explored similar attacks against Microsoft’s IE6 and IE7 browsers that exploited both documented and undocumented functionality for handling URIs.

The use of URIs creates the possibility that sophisticated attackers could begin circulating individualized phishing pages to small numbers of victims.

It also defeats traditional defenses against phishing attacks, such as web filtering and reputation management, because victims wouldn’t need to communicate out to an attack server to get phished, Klevjer argues.

And the method isn’t limited to phishing attacks. Klevjer wrote in an email to Naked Security that fellow Norwegian security researcher Per Thorsheim had pointed out that a data URI could also contain a (compromised) Java applet – worth bearing in mind considering the scare this week about Java zero-day vulnerabilities.

Writing on the SANS blog, Johannes Ullrich points out that attackers would still need to manage some backend infrastructure to receive data stolen in the attack.

However, he says that sophisticated attackers could also sneak the phished data out using a specially-crafted DNS request that would transfer the sniffed login credentials to the log file of a remote system.

Klevjer said the URI attack method could gain adherents among sophisticated attackers who are looking for a way around traffic and reputation monitoring and filtering systems. He said it also raises important questions about who “owns” the malicious data used in a URI based attack.

If URL shorteners are used, for example, the malicious content is now located within a link. Kelvjer told Naked Security:

“This fact transfers liability to the URL shortening services hosting the redirection”

There are caveats, of course. Klevjer points out that Google’s Chrome browser blocks redirection to data URIs, whereas other browsers have set ceilings on the amount of data that can be packed into a URI or URL. IE9 refused to load his sample attack page, which weighed in at 26KB.

Still, both the Firefox and Opera browsers did.

_{Goldfish in bowl and web browser images, courtesy of Shutterstock}