Data URI: Phishing Attacks Targeting GMail Users

NOVI, Mich. - Feb. 1, 2017 - PRLog -- Recently, there has been a wave of Phishing Scam targeting Google users. The Spam delivers either a pdf file or a word document which contains a link and in some cases just the plain simple email containing the link. It is also to be noted that some of the best researchers have been fooled by the method.

The link is actually an html body embedded in an URI ie. data:text/html also known as Data URI Schema and is supported by all modern day browsers.

One can even convert their browser into an instant notepad and all you need to do is to Copy Paste the code into the Browser URL Bar and hit Enter.

data:text/html, <html contenteditable>

or Display a RED Dot

data:text/html,<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />

This isn't a new method, however, what is new is that spammers are now actively targeting GMail users.

The code presented over here has been sanitized, as we closely observe the Data URI , it contains a script which has been encoded using Base-64.

Sanitized Code:

After we decode the string , we come across a Packer Function , these functions are generally used to obfuscate the underlying code , however, from reversing point of view, it is important to know that, for any packer , in most of the cases, it is imperative that it should use "eval" , an inbuilt javascript function to evaluate / execute JavaScript code / expressions.

Over here the eval function is clearly visible, however there are numerous other packers which would – we replace eval with alert which when executed would give us the unpacked code in an alert.

We repack the code using Base64

When we copy-paste the Data-URI inot the browser URL bar we are able to view the pre-packed code. From this code it is quite evident that an iframe has been used to display the phishing page, which is retrieved from http:// rosettatranslation.top however, this wont happen in this case since

1. The domain _rosettatranslation.top cannot exist, as it begins with an underscore.

2. We have used alert instead of eval

Packers have been used extensively by Drive-by Downloads, DGA (Domain Generation Algorithm), Exploit Kits etc. in order to serve malicious pages. Sometimes it is easy to extract the code in an harmless manner and sometimes it takes a lot of ingenuity to extract / reverse.

According to Google it is the prerogative of the end user to ensure the sanity / validity of the contents of the URL Bar , however google users always have the option of implementing Two Factor Authentication , as rightly suggested by Google.

However, when the targeted site doesn't use TFA, or is a Corporate Login Page , a spear phishing campaign has been initiated, the user has to be real attentive.

In past many years, there have been various methods to deliver the spam and entice the user to visit the malicious pages, although what hasn't changed is the phishing page, due to which, whenever such attempts are made against a computer system protected by eScan's eScan Smart Web-Filter, they get Detected and Blocked.

Since, the present campaign is targeting Gmail users , here are some tips to keep you safe:

1. Stay Alert, be aware of the contents of the Browser's URL Bar, ensure that the URL always begins with HTTP/HTTPS and if it begins with data then be extra careful.

2. Browser shows distinct color coded warnings while visiting HTTP/HTTPS sites

3. Use / Implement Two Factor Authentication whenever and wherever possible.

To read more, click here: http://blog.escanav.com/2017/01/30/data-uri-schema-phishi...