Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools (which offer very primitive obfuscation), data URIs (where the page content is mostly Base64-encoded), and character escaping are often used. However, recently we have seen a phishing site using the Advanced Encryption Standard (AES).
Figure 1. Page source of phishing site using AES
The page includes a JavaScript AES implementation, which it calls with the embedded password (used to generate the key) and embedded encrypted data (ciphertext). The decrypted phishing content is then dynamically written to the page using document.write().
This process happens almost instantly, so users are unlikely to notice anything unusual. Once decryption is complete, the phishing site is shown as normal.
Figure 2. Phishing site shown as normal after decryption
The encryption is designed to make the analysis of phishing sites more difficult and does not interfere with users entering their details. A casual, shallow analysis of the page will not reveal any phishing related content, as it is contained in the unreadable encrypted text.
This technique may be a first, albeit basic, attempt at using AES to obfuscate phishing sites. There is no attempt made to hide the key or otherwise conceal what is going on. However, we expect that as phishing detection matures further and improves in effectiveness, attacks like this will become more sophisticated.
Protection Symantec advises users to follow these best practices to avoid becoming victims of phishing attacks.