With any emerging threat there is an ongoing arms race between those who perpetrate the threats and those who work on eradicating them. We’ve seen this happen with spam, where spammers would try to develop new techniques to get their email to pass through spam filters, and, in turn, anti-spam offerings would take these techniques into account in an effort to better recognize (and eliminate) spam.
Phishing is no different. For example, we recently came across an entire phishing Web site that was built using Macromedia Flash. Macromedia Flash (or, just “Flash”) is a very popular technology used to add animations and interactivity to Web pages (though the technology is not necessarily limited to use within Web pages). If you have ever seen a glitzy Web page with nice animation, chances are that the animation was developed using Flash.
An entire Web page that was built using only Flash could more or less achieve the same functionality as a page developed using more traditional authoring languages like HTML and Javascript. Why do phishers care to develop an entire Web site in Flash? Well, by doing so it becomes harder to analyze the page itself, which might make it harder to determine whether or not the page is malicious. For example, many anti-phishing toolbars might try to determine if a certain Web page contains a “form element” where users would enter sensitive information, such as a password. It is easy enough to make this determination by simply searching for an appropriate < form > tag in the HTML code used in the page itself. However, it is possible to create the equivalent of the form element entirely in Flash, but without ever employing a < form > tag. Any anti-phishing technique that only involves analyzing HTML would not succeed.
This technique is similar to how spammers started using images in emails (in some cases, building the entire email as an image) with the hope that any spam filter that only analyzes text would not be able to make any sense of the email, and would let it pass through with flying colors.
I’d like to remark that the challenge, from the phisher’s perspective, is slightly different from that of a spammer’s. In particular, the phisher must get his victims to interact with the page he creates in a way that does not arouse suspicion, whereas with spam, the only concern is that the recipient actually sees the message.
Also, a good anti-phishing tool will take on a defense-in-depth approach , using multiple “angles” when determining whether a given site is really malicious. This approach is what Symantec uses in the forthcoming Norton Confidential product.
We do not doubt that phishers will continue to develop more sophisticated techniques. Rest assured that we good guys are hard at work developing countermeasures.