We’ve talked about being a phishing victim before and how to protect ourselves, yet as everything evolves and mutate, new techniques are always implemented, and used to increase the probability of successful phishing attempts and evade detection.

In his blog post “Fresh phish served with a helping of AES“, Nick Johnston from Symantec, explained how phishing sites nowadays are obfuscating their pages using encryption tools such as Advanced Encryption Standard (AES) in an attempt to evade detection from automated phishing detection tools.

The phishing page designed to steal information or similar acts, is encrypted using AES. Within the page a JavaScript AES library is implemented based on the supplied cipher-text resulting from the encrypted page, along with the decryption key which will be used to decrypt and write the content dynamically to the page using “document.write()“.

Quite interesting approach, such library can be found and downloaded from Movable Type Scripts.

Simply include the libraries and the usage can be as follow within the HEAD tag of the page:

 
/*decryption Key*/ 
var passVal = "the-password-value-used"; 
/*The Encrypted HTML equivalent to the phishing page*/ 
var pageCiphertext = "a^uhwiYH9882JKas/asd/asd9..........."; 
/*Decrypt the cipher-text and write to the page*/ 
var decryptedPageContent = Aes.Ctr.decrypt(pageCiphertext, passVal, 256); 
document.write(decryptedPageContent);

Nick provided some protection measures and guidelines which we can follow to protect ourselves, and we’ve talked about some of the most protective measures to stop becoming phishing victims before, here let me remind you of them:

  • Suspicious Mindset
  • Discard the urge of clicking on links
  • Don’t Panic, Go Directly to the Source and ask for more info
  • Check for obvious clues like mistake, grammar errors and unrealistic claims
  • Install a good security suit

I wish you Safe Surfing…

>> Featured Image courtesy of brighthub.com