Saturday 18 December 2010

Chronofeit Phishing

This combines RSnake's Popup & Focus URL Hijacking* with Paul Stone's
login detection to enhance phishing attacks.

The basic concept behind this attack is to use URL hijacking to change a legitimate login page to a fake one in the gap between when the user checks the URL and when they enter their username/password.

This implementation uses polling to detect the moment the user logs in, then redirects them to a classic phishing page saying their password was incorrect, and hopes that they don't re-check the URL.

To view the demo, visit the link. You will need javascript, iframes and a legitimate Google account username/password for this to work. Note: This is not the most subtle browser based attack in the book. It may well be the least. As such, your browser could just freeze. The page will automatically stop polling after 60 seconds to avoid unnecessary grief.

View the demo (Tested in Firefox 3.x, probably doesn't work in IE)

I have left the iframes visible for clarity. Obviously, in a real attack they'd be invisible and the phishing URL would be a nice reassuring shade of green along the lines of

Scope for improvement
As you've probably noticed if you tried the demo, there is a clear delay between clicking login and getting redirected. This delay could be significantly reduced by using the login detection with a page that doesn't send a redirect (and isn't encrypted). That said, there are probably completely different approaches to identifying this moment that have less delay anyway.

Website owners could prevent framing by using frame-busting code/X-Frame-Options etc. They ought already be doing to this protect against (the much more severe attack) clickjacking. Users should just check the URL every time they enter their password, I guess.

Comments&Feedback appreciated :)

*If server is still down try the cached version
EDIT October 2011: This demo no longer works, as Google has prevented the login-detection by using X-Frame-Options. I have no plans to fix it.

1 comment: