Phishing miscreants THWART securo-sleuths with AES-256 crypto Phishing fraudsters have begun using industry-standard AES-256 encryption to disguise the content of fraudulent sites. Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools are commonly used but Symantec recently caught what it reckons is the first use of AES-256 encryption in dodgy …
From the description, it sounds like this is more about obfuscation than encryption - they happen to be using an encryption library to perform the obfuscation, but given that the key has to be included in the code, there is no reliance on the hardness of the encryption, just the fact that the decryption process can turn gobbledygook that Symantecs scanners can't recognize as bad, into a working webpage in the users browser.
It's done in a crappy language (JavaScript) that has to run client-side. Therefore, the key will always have to be embedded in the code, or at least retrievable by the browser to decrypt the scam stuff. Therefore, security screeners need only to run the JS code and read the resulting stuff; if it is phishing, kill it. Is this really that hard? Alternatively, shitlist any site that looks like garbage without JS.
Crypto is a good way to securely transmit data from A to B. It's a poor way to have A show B information but have B unable to copy around the resulting data or trying to avoid B reading the actual key. See all the continuously cracked DRM systems as an example.
But the trick is that attempting to run JS leaves the analysing machine vulnerable to a JS-based exploit, which may even be concealed within the ciphertexted code. The normal routine for an analyser is to not run JS due to that potential. So you're caught in a dilemma. Don't run JS and you can't decipher the text (sure it uses AES now, but what if uses a multi-stage system in future so you can't do it yourself offline), run it and you risk getting nailed with a hidden zero-day.
So you're caught in a dilemma. Don't run JS and you can't decipher the text (sure it uses AES now, but what if uses a multi-stage system in future so you can't do it yourself offline), run it and you risk getting nailed with a hidden zero-day.
Or the third option: simply tag any site that isn't readable without JS as phishing. It's pretty obvious that this is only the result of phishing schemes or crappy web developers.
I remember that a couple of years ago (5? 6? 8?) a lot of spam was getting through most spam filters. The trick spammers were using was to set up a series of div tags that when rendered would show the spam email. But reading the text would give out an undecipherable thing that looked like "a b d i s c o e l s" or something like that. The solution? Anything unreadable with a zillion div tags would get filtered out. Problem solved!
Until someone makes a CryptoLocker clone/variant for Linux. And if you think limited user accounts will save, remember these two words: privilege escalation. A couple of juicy ones were disclosed just a few months ago. And those are just the ones we know about.
Plus remember that some variants are sneaky and adopt sleeper behaviour in an attempt to sneak into and infect backups.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
