Phishers dodge fraud protections in Firefox, Chrome
A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.
According to M86 researcher Rodel Mendrez, the locally stored file opens a web form that collects the customers' login credentials, credit card numbers and other sensitive information and then uses a POST request to zap them to a PHP application on a legitimate website that's been compromised. By avoiding the use of more verbose GET requests and known phishing sites, the scam flies completely under the radar of the browsers' fraud protection features.
“While the POST request sends information to the phisher's remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity,” Mendrez writes. “Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective.”
There's no technical reason why the browsers can't flag the URL that accepts the POST request. Mendrez posits that few PHP URLs get reported as abusive by most end users because of the technical expertise that's required. With not visible HTML accompanying them, there's little for the average user to go on.
The tactic is similar to one M86 reported last month that embedded self-extracting archive files in phishing emails and also used compromised legitimate sites to bypass anti-phishing protections.
Junk food maker Frito Lay, by the way, was one of the companies whose websites was hacked to host the PHP script, Mendrez says. The malicious app has since been removed.
There was no mention how Microsoft Internet Explorer responds to the HTML forms. ®
I hate ignorant people such as yourself.
People are not stupid, people are trusting, it's part of our makeup for 10's of thousands of years and it's what allows us to progress.
When you take your car to a garage for repairs you trust that they won't cut you brake lines and jam your throttle on when it gets to 4000rpm. What you don't check these when you pick it up?
You buy a burger presuming some hasn't crapped on it. What you don't open it and examine it in detail, is that really mayo?
You buy a ladder presuming than all the rungs are securly attached. What you don't check them before climbing it?
You open a email from Bank of XXXXX and you presume it is from them.
They are not stupid, they just are not aware of the risks, big difference.
Someone did do this once upon a time but
This approach was use a few years ago against spammers, it was declared illegal in several countries. As is vigilantism is general forbidden.
"visit the site using a bookmark or a Google/Bing search."
With blackhat SEO (search-engine optimization for those not-in-the-know), it's very easy to get a site near the top (if not THE top) of Google or Bing that even appears to be the site you are looking for. Even the "URL" displayed below (shown in green on Google) does not display the actual URL of the site. I've stumbled upon these myself.
The best way to visit Bank of America or the like? Type: "www.bankofamerica.com" into your address bar. If you've got a decent browser, it will DNS resolve and take you straight to their website. If you don't, it might land you on a Google page with BoA as the first link, hopefully. (those that just typed "bank of america")