Fraud foray fools phishing filter

A new phishing technique allows attackers to bypass the fraud warnings issued by browsers such as Firefox and Chrome.

04/26/2011


A new phishing technique allows attackers to bypass the fraud warnings issued by browsers such as Firefox and Chrome.

This move involves attaching an HTML document instead of sending a link, according to security firm M86Security. It remains unclear how many users have become victims so far.

Email recipients opening the HTML document in their browsers see a bogus PayPal form with the usual request to enter their access data due to alleged security issues. As the form processes locally on the user’s computer, the phishing filter doesn’t issue a warning because it only filters external URLs. A click on the “Submit” button then transmits the entered data to a PHP script on a (hacked) server using a POST request. The browser doesn’t warn about this either, according to M86Security.

While browsers should at least warn users when sending the data, M86Security stated two potential reasons why they won’t: As users don’t see the URL they access via POST requests, they can’t report it, and consequently the URL is missing in the browser filter’s blacklist. Most users can’t make anything of the HTML source code attached to the email, M86Security said.

Secondly, URLs which lead to a PHP script are very difficult to classify as phishing sites, M86Security said. It is hard to identify a phishing site without the accompanying HTML code which could, for instance, reveal whether a site pretends to be a banking site. This has apparently caused phishing campaigns to remain undetected.

M86Security didn’t state whether its assessment only refers to the filter lists maintained for Chrome, Firefox and other browsers, or whether it also includes those of the AV vendors, who maintain separate lists for their own filter products.



Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
Exploring fire pumps and systems; Lighting energy codes; Salary survey; Changes to NFPA 20
How to use IPD; 2017 Commissioning Giants; CFDs and harmonic mitigation; Eight steps to determine plumbing system requirements
2017 MEP Giants; Mergers and acquisitions report; ASHRAE 62.1; LEED v4 updates and tips; Understanding overcurrent protection
Power system design for high-performance buildings; mitigating arc flash hazards
Transformers; Electrical system design; Selecting and sizing transformers; Grounded and ungrounded system design, Paralleling generator systems
Commissioning electrical systems; Designing emergency and standby generator systems; VFDs in high-performance buildings
As brand protection manager for Eaton’s Electrical Sector, Tom Grace oversees counterfeit awareness...
Amara Rozgus is chief editor and content manager of Consulting-Specifier Engineer magazine.
IEEE power industry experts bring their combined experience in the electrical power industry...
Michael Heinsdorf, P.E., LEED AP, CDT is an Engineering Specification Writer at ARCOM MasterSpec.
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me