Endpoint Protection

Fresh phish served with a helping of AES 

09-04-2014 12:03 PM

Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools (which offer very primitive obfuscation), data URIs (where the page content is mostly Base64-encoded), and character escaping are often used. However, recently we have seen a phishing site using the Advanced Encryption Standard (AES).

Figure1_13.png

Figure 1. Page source of phishing site using AES

The page includes a JavaScript AES implementation, which it calls with the embedded password (used to generate the key) and embedded encrypted data (ciphertext). The decrypted phishing content is then dynamically written to the page using document.write().

This process happens almost instantly, so users are unlikely to notice anything unusual. Once decryption is complete, the phishing site is shown as normal.

 Figure2_1.jpg

Figure 2. Phishing site shown as normal after decryption

The encryption is designed to make the analysis of phishing sites more difficult and does not interfere with users entering their details. A casual, shallow analysis of the page will not reveal any phishing related content, as it is contained in the unreadable encrypted text.

This technique may be a first, albeit basic, attempt at using AES to obfuscate phishing sites. There is no attempt made to hide the key or otherwise conceal what is going on. However, we expect that as phishing detection matures further and improves in effectiveness, attacks like this will become more sophisticated.

Protection
Symantec advises users to follow these best practices to avoid becoming victims of phishing attacks.

  • Be wary of messages claiming that your account has been restricted or somehow needs to be updated
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when replying to emails
  • Do not enter personal information in a pop-up page or window
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks
  • Use comprehensive security software, such as Norton Internet Security or Norton 360 for consumers and Symantec Email Security.cloud and Symantec Messaging Gateway for business users, to be protected from phishing and social networking scams

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.