Alpha Phising [IE 6 WinXP SP2]

From: mikx (
Date: 08/26/04

  • Next message: Jérôme: "Re: Kaspersky Labs says Electronic Jihad on the Internet quite possible tomorrow"
    To: <>
    Date: Thu, 26 Aug 2004 05:46:10 +0200

    Tonight i got about 20 - awfully translated - german speaking phising mails.
    Therefore i thought a bit about phishing attacks and which of them are
    blocked in WinXP SP2.

    After a while i created some proof-of-concept code that is capable of
    phishing data from any html form based login screen, even if SP2 is
    installed and Active Scripting is disabled. It runs without the need for
    cross site scripting or spoofing entire websites. It can display any real
    login website in a frameset (that looks like a frameless page) and works as
    a "man-in-the-middle" attack when the user submits his login data. It is in
    most cases transparent, meaning the login process isn't interrupted at all
    (if the server accepts the form data as GET).

    This demo shows a typical, password protected website (it's just a fake for
    demonstration). Type in any login/password combination and click "login" or
    hit return in the form. If the phishing works, you will see a javascript
    alert displaying the login data you typed in - this alert comes from the
    site hosting the iframe! When you close the alert, the script forwards the
    data to the server and performs the login. In a real attack the alert would
    be replaced by mechanism to store the data, of course.

    The NoScript Version is a little limited: you can focus the underlying
     "real" login forms when clicking exactly on their border and there is
    currently no forward to do the login after the data got phished (it's
    possible using a server side header redirect but not implemented). The
    intercepted data is displayed as a get request in a new window in this demo.
    This could also be done in a hidden frame of course.

    1. JavaScript Version (inside Phishing frame, alerts on post)

    2. NoScript Version (inside Phishing frame, opens new window on post)

    3. Login Website (just to compare)

    4. Blog

    I tried this script across multiple webservers/domains and even on my
    personal bank account login page - it would work. I will not release any
    "real world" samples for obvious reasons. Anyway, i assume there are already
    phising attacks like this out in the wild.

    Technically the script is based on an iframe, forms and absolute positioned
    divs - it does not require Active Scripting! Therefore it triggers no cross
    site scripting protections, the hidden form fields intercepting the login
    data are only "hovering" above the iframe and there is no real script

    Currently i can only try this using IE 6 on WinXP pro SP2 (all security
    settings to default). Feedback about other OS versions is appreciated.

    To work around this vulnerability client side never click on links to open
    login pages and risk opening a framed website this way. Type URLs by hand or
    use Bookmarks. On server side use scripts that let a login page "break out"
    of framesets or warns when embedded in a frame. You could also try to detect
    those man-in-the-middle stuff by checking if the referrer of a form post
    comes from your server. This wouldn't stop the phising but at least would it
    break the "transparency" of the attack.


  • Next message: Jérôme: "Re: Kaspersky Labs says Electronic Jihad on the Internet quite possible tomorrow"