Subtle phishing scam targeting Gmail users

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Subtle phishing scam targeting Gmail users

Post by barbaz »

https://www.wordfence.com/blog/2017/01/ ... -data-uri/

Does NoScript protect against this at all? If so how?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Subtle phishing scam targeting Gmail users

Post by therube »

noscript.allowURLBarJS

From what I recall (search earlier posts), there might be some issues with it?

(Its effectiveness, or not, possibly relating to a new window (as in it is bypassed on a new widow, first entry, kind of thing), possibly only with SeaMonkey. Don't recall anymore.)


According to Wikipedia, Data URI scheme, the exploit avenue is years old, so why it is just being "discovered"...?


javascript: / data: URI being bypassed

I didn't fully read, but:

data:,Hello%2C%20World!

is not an image, bypasses the NoScript block.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Subtle phishing scam targeting Gmail users

Post by barbaz »

My understanding is that the data: URI isn't typed or pasted in, it's loaded by clicking a link. NoScript treats that differently from a typed/pasted data: URI, but I don't remember what protection, if any, it does on data: URIs on whitelisted sites like Gmail.

And I seem to recall there were also issues with handling data: URIs loaded by clicking links, but that isn't turning up in searching.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Subtle phishing scam targeting Gmail users

Post by therube »

OK.

URL: http://openloadmovies.org/movies/the-three-stooges/

Center-click the video placeholder & you get something like:

(truncated)

Code: Select all

data:text/html,%3C!DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en-US%22%3E%0A%3Chead%3E%3Cmeta%20charset%3D%22utf-8%22%20%2F%3E%3Cbase%20href%3D%22https%3A%2F%2Fopenload.co%2F%22%20%2F%3E%3Cscript%3Ewindow.exclude%3Dtrue%3Bwindow.turnoff%3Dtrue%3Bwindow.useCors%3Dtrue%3Bdocument.addEventListener(%22mouseup%22%2Cfunction()%7Blogpopup(1)%3B%7D%2Cfalse)%3Bwindow.corsToken%3D%22zxVHaaikYtBL5RgM1zXZNFv4Jq68x3dObkgqdFbq3eryWbyRKpvxVAiz60ypTWeW%22%3B%3C%2Fscript%3E%0A%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%2F%2F%3C!%5BCDATA%5B%0Atry%7Bif%20(!window.CloudFlare)%20%7Bvar%20CloudFlare%3D%5B%7Bverbose%3A0%2Cp%3A0%2Cbyc%3A0%2Cowlid%3A%22cf%22%2Cbag2%3A1%2Cmirage2%3A0%2Coracle%3A0%2Cpaths%3A%7Bcloudflare%3A%22%2Fcdn-cgi%2Fnexp%2Fdok3v%3D1613a3a185%2F%22%7D%2Catok%3A%220127ec569970300ae984d641e3d57198%22%2Cpetok%3A%227b7ee8e959d25e47574e5e409fe1c99b66ae14ee-1491060712-1800%22%2Czone%3A%22openload.co%22%2Crocket%3A%220%22%2Capps%3A%7B%22abetterbrowser%22%3A%7B%22ie%22%3A%228%22%2C%22opera%22%3A%2212.0%22%2C%22chrome%22%3A%222.9%22%2C%22safari%22%3A%223.0%22%2C%22firefox%22%3A%2220.0%22%7D%7D%7D%5D%3B!function(a%2Cb)%7Ba%3Ddocument.createElement(%22script%22)%2Cb%3Ddocument.getElementsByTagName(%22script%22)%5B0%5D%2Ca.async%3D!0%2Ca.src%3D%22%2F%2Fajax.cloudflare.com%2Fcdn-cgi%2Fnexp%2Fdok3v%3Df2befc48d1%2Fcloudflare.min.js%22%2Cb.parentNode.insertBefore(a%2Cb)%7D()%7D%7Dcatch(e)%7B%7D%3B%0A%2F%2F%5D%5D%3E%0A%3C%2Fscript%3E%0A%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.shouldreport%3D%225TMkyEx-4HE%22%3Bwindow.filesize%3D630507718%3B%3C%2Fscript%3E%20%3C!--%5Bif%20lte%20IE%208%5D%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22%2Fassets%2Fjs%2Fexcanvas.js%22%3E%3C%2Fscript%3E%3C!%5Bendif%5D--%3E%0A%3Cmeta%20name%3D%22description%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Atitle%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Adescription%22%20content%3D%22Stream%20The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%20via%20Openload%22%3E%0A%3Cmeta%20name%3D%22og%3Atype%22%20content%3D%22video.movie%22%3E%0A%3Cmeta%20name%3D%22og%3Aurl%22%20content%3D%22https%3A%2F%2Fopenload.co%2Fembed%2F5TMkyEx-4HE%2FThe_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Asitename%22%20content%3D%22Openload%22%3E%0A%3Cmeta%20name%3D%22og%3Aimage%22%20content%3D%22https%3A%2F%2Fthumb.oloadcdn.net%2Fsplash%2F5TMkyEx-4HE%2FH8_xqwq193E.jpg%22%3E%0A%3Cmeta%20name%3D%22twitter%3Acard%22%20content%3D%22summary_large_image%22%3E%0A%3Cmeta%20name%3D%22twitter%3Atitle%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22twitter%3Adescription%22%20content%3D%22Stream%20The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%20via%20Openload%22%3E%0A%3Cmeta%20name%3D%22twitter%3Aimage%22%20content%3D%22https%3A%2F%2Fthumb.oloadcdn.net%2Fsplash%2F5TMkyEx-4HE%2FH8_xqwq193E.jpg%22%3E%0A%3Cmeta%20name%3D%22robots%22%20content%3D%22noindex%22%3E%0A%3Clink%20href%3D%22https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fvideo.js%2F5.15.1%2Fvideo-js.min.css%22%20rel%3D%22stylesheet%22%3E%0A%3Clink%20href%3D%22%2Fassets%2Fcss%2Fvideo.js%2Folvideo.css%22%20rel%3D%22stylesheet%22%3E%0A%3Cscript%20src%3D%22%2Fassets%2Fjs%2Fjquery.min.js%22%3E%3C%2Fscript%3E%0A%3Cscript%20src%3D%22%2Fassets%2Fjs%2Fvideojs-ie8.min.3.js%22%3E%3C%2Fscript%3E%3Cscript%3E%0D%0Awindow._VideoLoaded%3Dfalse%3B%0D%0A%3C%2Fscript%3E%0A%3C%2Fhead%3E%0A%3Cbody%3E%0A%3Cdiv%20id%3D%22mediaspace_wrapper%22%3E%0A%3Cdiv%20class%3D%22videocontainer%22%3E%0A%3Cinput%20type%3D%22file%22%20id%3D%22srtSelector%22%20style ...
Complete, https://pastebin.com/gTYxqDjp.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Subtle phishing scam targeting Gmail users

Post by barbaz »

For me it appears to give me the direct link to the video.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Subtle phishing scam targeting Gmail users

Post by therube »

Ah, I left out some steps, didn't I.
So...

URL: http://openloadmovies.org/movies/the-three-stooges/

By default, you should see a placeholder.
Center-click the placeholder.

Opens, https://openload.co/embed/5TMkyEx-4HE/T ... IFY_HI.mp4

Temporarily Allow, openload.co

Page refreshes & URL changes to a data: URI.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Subtle phishing scam targeting Gmail users

Post by barbaz »

Yep, I see it after following your steps, and then clicking the play button in the middle. It asks me whether I want to open or save the data URI.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Subtle phishing scam targeting Gmail users

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Subtle phishing scam targeting Gmail users

Post by barbaz »

Thanks for the link, therube.

Top-level data: URIs are critical for me. Disabling that would make unusable. I hope that if they go that route, that there will be a way to re-enable top-level data: URIs.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply