Phishing Attack via Image File Carrying Covert Code

According to security company Arbor Networks, a website, www.widutr67e8ds63e7dsz3edsx.land.ru is exploiting 'Multipurpose Internet Mail Extensions' (MIME), of Internet Explorer, sniffing problem also termed as MIME type detection, in order to launch phishing attacks.

State the security researchers at Arbor that since Internet Explorer's version 4 came into existence, the browser has been utilizing the 'MIME type detection' or 'MIME sniffing.' With this method, IE doesn't readily infer that a downloaded file contains the type of content that the server states in the HTTP caption. It also doesn't automatically take the name or signature of the file as genuine. Instead, the browser inspects the file's starting 256 bytes to figure out its type. Subsequently, if it comes across HTML code in the file, it would let it run.

Revealed the researchers that cyber-criminals exploiting this technique dispatch e-mail carrying an apparently innocuous link that supposedly connects to a JPEG file, however, the image holds a hidden JavaScript and HTML code. While Safari and Firefox send back an error notification while downloading such a file, IE runs the code that chiefly causes the problem.

The problem happens when the hidden JavaScript and HTML code projects a bogus login page of eBay that prompts users to feed in username and password that leads to the phishing attack.

Originally, MIME sniffing was utilized to protect from servers' incorrect signals about content type. For instance, if the server declares a content as 'plain' or 'text' but provides an HTML file, IE would consider that content as HTML.

Furthermore, saying that the problem could be even dangerous, Arbor warned that an attacker could exploit the technique for Cross-Site Scripting (XSS) attacks against Internet sites that does not allow content to be uploaded.

Meanwhile, the security researchers elucidated that this was the first time they saw a phishing attack that used MIME sniffing. However, they warned of other probable assaults in existence that might be exploiting this technique.

Consequently, according to the researchers, while uploading JPEG files is a common need in any Web 2.0 software application, certain utilities of IE require to be cautiously used; otherwise a loophole may appear that could allow attacks against website visitors. Meanwhile, to prevent any probable damage, the malicious website has been banned.

Related article: Phishing With A Redirector Code

» SPAMfighter News - 4/3/2009