Phishing without a webpage – researcher reveals how a link itself can be malicious

Posted on September 2, 2012 by George Ionescu Leave a Comment

The need for a reliable place to host your malicious website has been the bane of phishers for much of the last decade.

But, no longer.

Web browser, courtesy of Shutterstock A researcher at the University of Oslo in Norway says that page-less phishing and other untraceable attacks may be possible, using a tried and true internet communications standard: the uniform resource identifier, or URI.

Henning Klevjer, an information security student at the University of Oslo in Norway, suggests in a just-released research paper that it may be possible for attackers to dispense with phishing sites altogether, embedding their entire scam webpage in an encoded data URI that can be passed around from victim to victim.

URIs are strings of characters that identify a resource. The term encompasses the better-known Uniform Resource Locator (URL) and uniform resource name (URN). However, whereas URLs specify the location of a specific network resource and how it should be accessed (i.e. with HTTP, HyperText Transfer Protocol), URIs are more flexible and can even be used to host the data they “link” to.

Klevjer’s paper, “Phishing by data URI” [PDF], suggests ways that the malleability of the URI could be used to mask malicious content.

Read more on SOPHOS

Filed Under: ROGUE SOFTWARE

The 411 on Me

I have started this website in an attempt to help the Internet users when trying to remove malware from their PCs.
I own a small local PC repair shop in my country and I also custom build computers for my customers however most of my business is malware related issues.

Got anything to say?Go ahead and leave a comment! Cancel reply

Daily Tip

Scam artists try to trick people into clicking on links that will download malware and spyware to their computers, especially computers that don't use adequate security software. To reduce your risk of downloading unwanted malware and spyware:
Keep your security software updated. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. Set your security software, internet browser, and operating system (like Windows or Mac OS) to update automatically.

Don't click on any links or open any attachments in emails unless you know who sent it and what it is. Clicking on links and opening attachments – even in emails that seem to be from friends or family – can install malware on your computer.

Download and install software only from websites you know and trust. Downloading free games, file-sharing programs, and customized toolbars may sound appealing, but free software can come with malware.

Minimize "drive-by" downloads. Make sure your browser security setting is high enough to detect unauthorized downloads. For Internet Explorer, for example, use the "medium" setting at a minimum.

Use a pop-up blocker and don't click on any links within pop-ups. If you do, you may install malware on your computer. Close pop-up windows by clicking on the "X" in the title bar.

Resist buying software in response to unexpected pop-up messages or emails, especially ads that claim to have scanned your computer and detected malware. That's a tactic scammers use to spread malware.

Talk about safe computing. Tell your kids that some online actions can put the computer at risk: clicking on pop-ups, downloading "free" games or programs, opening chain emails, or posting personal information.

Back up your data regularly. Whether it's text files or photos that are important to you, back up any data that you'd want to keep in case your computer crashes.

.recentcomments a{display:inline!important;padding:0!important;margin:0!important}