Extending beyond the obfuscation techniques, an
attacker may make use of HTML, DHTML and other
scriptable code that can be interpreted by the
customers web browser and used to manipulate the
display of the rendered information. In many
instances the attacker will use these techniques to
disguise fake content (in particular the source of
the page content) as coming from the real site ?
whether this is a man-in-the-middle attack, or a
fake copy of the site hosted on the attackers own
systems.
The most common vectors include:
- Hidden Frames
- Overriding Page Content
- Graphical Substitution
Hidden Frames
Frames are a popular method of hiding attack content due to their
uniform browser support and easy coding style.
Hiding the source address of the attacker?s
content server. Only the URL of the master
frameset document will be visible from the
browser interface unless the user follows a link
with the target attribute site to "_top".
Used to provide a fake secure HTTPS wrapper
(forcing the browser to display a padlock or
similar visual security clue) for the sites
content ? while still using insecure HTTP for
hidden page content and operations.
Hiding HTML code from the customer.
Customers will not be able to view the hidden
pages code through the standard "View Source"
functions available to them.
Page Properties - will only indicate the top
most viewable page source in most browser
software.
Loading images and HTML content in the
background for later use by a malicious
application.
Storing and implementing background code
operations that will report back to the attacker
what the customer does in the "real" web page.
Combined with client-side scripting
languages, it is possible to replicate
functionality of the browser toolbar; including
the representation of URL information and page
headers.
Overriding Page Content
Several methods exist for Phishers to override displayed content. One of
the most popular methods of inserting fake content within a page is to
use the DHTML function - DIV. The DIV function allows an attacker to
place content into a ?virtual container? that, when given an absolute
position and size through the STYLE method, can be positioned to hide or
replace (by ?sitting on top?) underlying content. This malicious content
may be delivered as a very long URL or by referencing a stored script.
This method allows an attacker to build a complete page (including
graphics and auxiliary scripting code elements) on top of the real page.
Graphical Substitution
While it is possible to overwrite page content easily through multiple
methods, one problem facing Phishers is that of browser specific visual
clues to the source of an attack. These clues include the URL presented
within the browsers URL field, the secure padlock representing an HTTPS
encrypted connection, and the Zone of the page source.
A common method used to overcome these visual clues is through the
use of browser scripting languages (such as JavaScript, VBScript and
Java) to position specially created graphics over these key areas with
fake information.
While the Phisher must use graphics that are appropriate to the
manufacturer of the browser software, it is a trivial exercise for the
attackers fake web site to determine the browser type and exact version
through simple code queries. Therefore the attacker may prepare images
for a range of common browsers and code their page in such a way that
the appropriate images are always used.
It is important to note that Phishing attacks in the past have combined
graphical substitution
with additional scripting code to fake other browser functionality.
Examples include:
- Implementing "right-click" functionality and
menu access,
- Presenting false popup messages just as the real
browser or web application would,
- Displaying fake SSL certificate details when
reviewing page properties or security settings -
through the use of images.
