InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Subtle phishing scam targeting Gmail users

https://forums.informaction.com/viewtopic.php?t=22701

Page 1 of 1

Subtle phishing scam targeting Gmail users

Posted: Sat Apr 01, 2017 1:58 am
by barbaz
https://www.wordfence.com/blog/2017/01/ ... -data-uri/

Does NoScript protect against this at all? If so how?

Re: Subtle phishing scam targeting Gmail users

Posted: Sat Apr 01, 2017 5:09 am
by therube
noscript.allowURLBarJS

From what I recall (search earlier posts), there might be some issues with it?

(Its effectiveness, or not, possibly relating to a new window (as in it is bypassed on a new widow, first entry, kind of thing), possibly only with SeaMonkey. Don't recall anymore.)


According to Wikipedia, Data URI scheme, the exploit avenue is years old, so why it is just being "discovered"...?


javascript: / data: URI being bypassed

I didn't fully read, but:

data:,Hello%2C%20World!

is not an image, bypasses the NoScript block.

Re: Subtle phishing scam targeting Gmail users

Posted: Sat Apr 01, 2017 6:29 am
by barbaz
My understanding is that the data: URI isn't typed or pasted in, it's loaded by clicking a link. NoScript treats that differently from a typed/pasted data: URI, but I don't remember what protection, if any, it does on data: URIs on whitelisted sites like Gmail.

And I seem to recall there were also issues with handling data: URIs loaded by clicking links, but that isn't turning up in searching.

Re: Subtle phishing scam targeting Gmail users

Posted: Sat Apr 01, 2017 3:37 pm
by therube
OK.

URL: http://openloadmovies.org/movies/the-three-stooges/

Center-click the video placeholder & you get something like:

(truncated)

Code: Select all

data:text/html,%3C!DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en-US%22%3E%0A%3Chead%3E%3Cmeta%20charset%3D%22utf-8%22%20%2F%3E%3Cbase%20href%3D%22https%3A%2F%2Fopenload.co%2F%22%20%2F%3E%3Cscript%3Ewindow.exclude%3Dtrue%3Bwindow.turnoff%3Dtrue%3Bwindow.useCors%3Dtrue%3Bdocument.addEventListener(%22mouseup%22%2Cfunction()%7Blogpopup(1)%3B%7D%2Cfalse)%3Bwindow.corsToken%3D%22zxVHaaikYtBL5RgM1zXZNFv4Jq68x3dObkgqdFbq3eryWbyRKpvxVAiz60ypTWeW%22%3B%3C%2Fscript%3E%0A%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%2F%2F%3C!%5BCDATA%5B%0Atry%7Bif%20(!window.CloudFlare)%20%7Bvar%20CloudFlare%3D%5B%7Bverbose%3A0%2Cp%3A0%2Cbyc%3A0%2Cowlid%3A%22cf%22%2Cbag2%3A1%2Cmirage2%3A0%2Coracle%3A0%2Cpaths%3A%7Bcloudflare%3A%22%2Fcdn-cgi%2Fnexp%2Fdok3v%3D1613a3a185%2F%22%7D%2Catok%3A%220127ec569970300ae984d641e3d57198%22%2Cpetok%3A%227b7ee8e959d25e47574e5e409fe1c99b66ae14ee-1491060712-1800%22%2Czone%3A%22openload.co%22%2Crocket%3A%220%22%2Capps%3A%7B%22abetterbrowser%22%3A%7B%22ie%22%3A%228%22%2C%22opera%22%3A%2212.0%22%2C%22chrome%22%3A%222.9%22%2C%22safari%22%3A%223.0%22%2C%22firefox%22%3A%2220.0%22%7D%7D%7D%5D%3B!function(a%2Cb)%7Ba%3Ddocument.createElement(%22script%22)%2Cb%3Ddocument.getElementsByTagName(%22script%22)%5B0%5D%2Ca.async%3D!0%2Ca.src%3D%22%2F%2Fajax.cloudflare.com%2Fcdn-cgi%2Fnexp%2Fdok3v%3Df2befc48d1%2Fcloudflare.min.js%22%2Cb.parentNode.insertBefore(a%2Cb)%7D()%7D%7Dcatch(e)%7B%7D%3B%0A%2F%2F%5D%5D%3E%0A%3C%2Fscript%3E%0A%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.shouldreport%3D%225TMkyEx-4HE%22%3Bwindow.filesize%3D630507718%3B%3C%2Fscript%3E%20%3C!--%5Bif%20lte%20IE%208%5D%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22%2Fassets%2Fjs%2Fexcanvas.js%22%3E%3C%2Fscript%3E%3C!%5Bendif%5D--%3E%0A%3Cmeta%20name%3D%22description%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Atitle%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Adescription%22%20content%3D%22Stream%20The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%20via%20Openload%22%3E%0A%3Cmeta%20name%3D%22og%3Atype%22%20content%3D%22video.movie%22%3E%0A%3Cmeta%20name%3D%22og%3Aurl%22%20content%3D%22https%3A%2F%2Fopenload.co%2Fembed%2F5TMkyEx-4HE%2FThe_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22og%3Asitename%22%20content%3D%22Openload%22%3E%0A%3Cmeta%20name%3D%22og%3Aimage%22%20content%3D%22https%3A%2F%2Fthumb.oloadcdn.net%2Fsplash%2F5TMkyEx-4HE%2FH8_xqwq193E.jpg%22%3E%0A%3Cmeta%20name%3D%22twitter%3Acard%22%20content%3D%22summary_large_image%22%3E%0A%3Cmeta%20name%3D%22twitter%3Atitle%22%20content%3D%22The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%22%3E%0A%3Cmeta%20name%3D%22twitter%3Adescription%22%20content%3D%22Stream%20The_Three_Stooges_2012_720p_BrRip_YIFY_HI.mp4%20via%20Openload%22%3E%0A%3Cmeta%20name%3D%22twitter%3Aimage%22%20content%3D%22https%3A%2F%2Fthumb.oloadcdn.net%2Fsplash%2F5TMkyEx-4HE%2FH8_xqwq193E.jpg%22%3E%0A%3Cmeta%20name%3D%22robots%22%20content%3D%22noindex%22%3E%0A%3Clink%20href%3D%22https%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fvideo.js%2F5.15.1%2Fvideo-js.min.css%22%20rel%3D%22stylesheet%22%3E%0A%3Clink%20href%3D%22%2Fassets%2Fcss%2Fvideo.js%2Folvideo.css%22%20rel%3D%22stylesheet%22%3E%0A%3Cscript%20src%3D%22%2Fassets%2Fjs%2Fjquery.min.js%22%3E%3C%2Fscript%3E%0A%3Cscript%20src%3D%22%2Fassets%2Fjs%2Fvideojs-ie8.min.3.js%22%3E%3C%2Fscript%3E%3Cscript%3E%0D%0Awindow._VideoLoaded%3Dfalse%3B%0D%0A%3C%2Fscript%3E%0A%3C%2Fhead%3E%0A%3Cbody%3E%0A%3Cdiv%20id%3D%22mediaspace_wrapper%22%3E%0A%3Cdiv%20class%3D%22videocontainer%22%3E%0A%3Cinput%20type%3D%22file%22%20id%3D%22srtSelector%22%20style ...
Complete, https://pastebin.com/gTYxqDjp.

Re: Subtle phishing scam targeting Gmail users

Posted: Sat Apr 01, 2017 10:08 pm
by barbaz
For me it appears to give me the direct link to the video.

Re: Subtle phishing scam targeting Gmail users

Posted: Sun Apr 02, 2017 3:41 pm
by therube
Ah, I left out some steps, didn't I.
So...

URL: http://openloadmovies.org/movies/the-three-stooges/

By default, you should see a placeholder.
Center-click the placeholder.

Opens, https://openload.co/embed/5TMkyEx-4HE/T ... IFY_HI.mp4

Temporarily Allow, openload.co

Page refreshes & URL changes to a data: URI.

Re: Subtle phishing scam targeting Gmail users

Posted: Sun Apr 02, 2017 3:58 pm
by barbaz
Yep, I see it after following your steps, and then clicking the play button in the middle. It asks me whether I want to open or save the data URI.

Re: Subtle phishing scam targeting Gmail users

Posted: Sun Apr 16, 2017 11:55 am
by therube
Bug 1331351 Consider blocking top level window data: URIs

Re: Subtle phishing scam targeting Gmail users

Posted: Tue Apr 18, 2017 7:38 pm
by barbaz
Thanks for the link, therube.

Top-level data: URIs are critical for me. Disabling that would make unusable. I hope that if they go that route, that there will be a way to re-enable top-level data: URIs.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited