Graphical Substitution

While it is possible to overwrite page content easily through multiple methods, one problem facing Phishers is that of browser specific visual clues to the source of an attack. These clues include the URL presented within the browsers URL field, the secure padlock representing an HTTPS encrypted connection, and the Zone of the page source.

A common method used to overcome these visual clues is through the use of browser scripting languages (such as JavaScript, VBScript and Java) to position specially created graphics over these key areas with fake information.

In the example below, the attacker uses carefully positioned fake address bar and padlock/zone images to hide the real information. While the Phisher must use graphics that are appropriate to the manufacturer of the browser software, it is a trivial exercise for the attackers fake web site to determine the browser type and exact version through simple code queries. Therefore the attacker may prepare images for a range of common browsers and code their page in such a way that the appropriate images are displayed to the user after identifying their browser fingerprints.

The attacker can achieve the above by using a combination of images displayed above with the following HTML code:

<html>
<head>
<title>Fake Status Bar</title>
<style>
#statusbar {position: absolute;
left: 0px;
bottom: 0px;
}
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table id=statusbar width="100%" border="0" cellpadding="0" cellspacing="0" height="21">
<tr>
<td width="1%"><img src="images/left%20logo.gif" width="18" height="21"></td>
<td width="100%" height="1%"><img src="images/status%20bar%20blank.gif" width="100%" height="21"></td>
<td width="1%">
<img src="images/left%20of%20padlock.gif" width="30" height="21"></td>
<td width="1%">
<div ondblclick=window.showModalDialog('fakecert.html','pop-up','status=no;resizable=no;
dialogWidth=410px;dialogHeight=475px')>
<img alt="SSL Secured (128 Bit)" src="images/padlock.gif" border="0" width="17" height="21"></div></td>
<td width="1%">
<div ondblclick=window.showModalDialog('fakezones.html','pop-up','status=no;resizable=no;
dialogWidth=407px;dialogHeight=453px')>
<img src="images/right%20pane.gif" border="0" width="157" height="21"></div></td>
<td></td>
</tr>
</table>
</body>
</html>

It is important to note that Phishing attacks in the past have combined graphical substitution with additional scripting code to fake other browser functionality.

Examples include:

• Implementing "right-click" functionality and menu access,
• Presenting false pop up messages just as the real browser or web application would,
• Displaying fake SSL certificate details when reviewing page properties or security settings - through the use of images.

Using simple HTML embedded commands, an attacker can hijack the entire customer's desktop (user interface) and construct a fake interface to capture and manipulate what the customer sees.

View Demo

You can now view our demo of a Fake Status Bar Attack here.

Phishing Attacks

• Cross Site Scripting (XSS)
• Hidden Frame
• Man in the Middle
• Obfuscation Attacks
  • IDN Spoofing Demo
• Phishing
  • Phishing Quiz
• Graphic based Attacks
  • Fake Browser Address Bar
  • Entire Toolbar Faked
  • Fake SSL Padlock Status Bar