Phishing++ – Chapter I

Hi! What’s going on?

Today’s case-study is a bit different, and it is a 2-sequel article. The next chapter will be published as soon as a certain company will allow us to publicly disclose two vulnerabilities they had.

Today I’m not gonna talk about a regular attack – this whole chapter is about Phishing.

So Phishing – why the hell are we talking about it? “Its not a security issue”

I’ve heard dozens of statements about how phishing is not an actual vulnerability, and many public companies think so. Its fair to say that they are quite right – a 3rd party website that is pretending to be the real one is not an actual vulnerability on the real site.

But does that mean that the company should not care at all? No. Some companies (like PayPal, Facebook, etc.) are reporting phishing attacks to anti-virus companies, who block the user from entering the malicious site. That’s fair, but it’s not enough. There is not enough man power or even “internet crawling power” to fully protect users from malicious phishing websites. Actually, most companies does not care that there are malicious pretenders out there. In their ToS agreement, some of them rudely claim that the customer is fully responsible for any data/money lost/theft if he falls victim to a phishing attack.

But I say that there is more to do other than looking at the sky and counting birds. A small research I have conducted on some phishing websites which pretended to be PayPal and Facebook led me to write this chapter of this case-study, instead of fully presenting the vulnerability as I always do.

I realized that in order to perfect their visual appearance, phishing websites use actual photos, CSS and JavaScript elements from the original one. This means that the PayPal-like phishing site “https://xxxx.com” has image and JavaScript tags which fetch images and scripts from the original PayPal site! (or https://paypalobjects.com, to be accurate.).

Why are they doing so & why the f* should that matter?
They are doing so because they want the experience of the website to be exactly like the original. And how can that be achieved? Simple! By using the same images and JavaScript scripts.
Most of those websites has only one page – either Login (to steal the login credentials) or Pay (to steal the visa card credentials). The actual source code is a lot like the original one, accept minor changes to the way the data is being sent.
That’s matter because once a company knows that a malicious website is using it’s entities – it can stop that!

A simple fix that the company can do “tomorrow morning” is to disallow fetching of JavaScript scripts, images and CSS style sheets by an unauthorized 3rd-party website. This way, phishing websites will have to work harder in order to get the same experience and appearance of the original website.

It’s never a 100%
Even if websites will disallow unauthorized fetching of entities, phishing sites will always be able to store the images, CSS and JavaScript “on their own”. It’s a cat-mouse race that probably far from an end.
But its another step forward. Making the life of phishing sites maker harder should be a life-goal of every company and security researcher.

Heads up for the next chapter! Cheers.