Figure 1. Page source of phishing site using AES
This process happens almost instantly, so users are unlikely to notice anything unusual. Once decryption is complete, the phishing site is shown as normal.
Figure 2. Phishing site shown as normal after decryption
The encryption is designed to make the analysis of phishing sites more difficult and does not interfere with users entering their details. A casual, shallow analysis of the page will not reveal any phishing related content, as it is contained in the unreadable encrypted text.
This technique may be a first, albeit basic, attempt at using AES to obfuscate phishing sites. There is no attempt made to hide the key or otherwise conceal what is going on. However, we expect that as phishing detection matures further and improves in effectiveness, attacks like this will become more sophisticated.
Symantec advises users to follow these best practices to avoid becoming victims of phishing attacks.
- Be wary of messages claiming that your account has been restricted or somehow needs to be updated
- Do not click on suspicious links in email messages
- Do not provide any personal information when replying to emails
- Do not enter personal information in a pop-up page or window
- Exercise caution when clicking on enticing links sent through emails or posted on social networks
- Use comprehensive security software, such as Norton Internet Security or Norton 360 for consumers and Symantec Email Security.cloud and Symantec Messaging Gateway for business users, to be protected from phishing and social networking scams