Using HTTP referer for phishing attacks

HTTP referer (aka referrer) contains URL of a page from which HTTP request originated. The header allows websites to identify where the user is coming from and, in case of web search originated traffic, what keywords the user entered to find the destination. Referer raises privacy concerns, but the field is also questionable from a security perspective. Referer passes to untrusted sites information that can be used to make malicious content seem trustworthy. Following steps describe how such information can be used for a generic (not targeted at any specific site) phishing attack:

  1. A phisher sets up a URL rewriting reverse proxy. The proxy can retrieve any requested web page, but alters all URLs in the returned page to point to the proxy. The proxy is a generic phishing site, it seats in the middle between the user and legitimate websites, it can log all data supplied in web forms and change all HTTPS traffic to plain HTTP. As an alternative to the proxy, the phisher can use tricks with frames.

  2. The phisher sets up a seemingly legitimate website with some interesting content, the site becomes indexed by search engines and possibly linked from other sources.

  3. When the site is visited, it extracts URL from the referer field and tricks the user into thinking that he or she returned to the referring page (This will often be a trusted web search). In fact, the user is directed to the reverse proxy which intercepts all traffic between the user and the trusted site, and all sites that are visited from the trusted site.

While intercepting web search traffic does not seem to be very attractive from the phishing perspective, many users use web search to navigate to services that require login and password. Such data can be very lucrative.

As in case of most phishing attacks, the browser's address bar correctly indicates that the user is interacting with a phishing site. The question is how likely is the user to check the address bar in the middle of what seems to be a normal web surfing session?

Following examples demonstrate three out of many ways in which the user can be tricked into thinking that he or she returned to the original site. The external site to which the examples redirect is (likely) harmless. If you are careful, you will notice small differences between this site and the fake. Assume this site is trusted, and the linked site is not.

  1. In the first example you are presented with a malware warning and 'get me out of here' link. Clicking the link takes you to the fake site.

  2. The second example does not require any non-standard navigation actions, just visit a page and go back with the browser's back button. The example requires JavaScript and HTML5 enabled browser (Firefox 4.0, Opera 11.50, Safari 5.0, Chrome 5).

  3. The third example is probably the most suspicious one. You are taken directly to the fake site. The phisher tries to fool you into thinking that the click was not accurate or that the request failed without any visible error message. This technique can be effective against users that are opening many search results in multiple tabs (the user can at some point go to a tab with the phishing site and use it instead of the original site).

If you are concerned that your browsing habits may make you susceptible to such phishing schemes, consider not passing referer to visited sites. Firefox and Opera have built-in settings for it, Chrome and Safari have external extensions, IE does not seem to offer an easy way to do it.

Back
still life