Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

"Phlash" Phishing Revisited

Created: 04 Jan 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:53:49 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

Back in July, I wrote a blog entry about examples we had seen of phishing Web sites that worked entirely using Macromedia Flash. What makes these sites scary is that they cannot be analyzed in the same way as traditional HTML- or Javascript-based phishing pages.

When we first mentioned these attacks, the observations didn’t receive much external attention. Perhaps this was due to other, more pressing, issues related to the growth of phishing or, more likely, perhaps folks were in the post-Independence Day doldrums. Now, there has been a resurgence of interest in this topic as seen in some recent articles. With this resurgence, I thought it would make sense to point readers back to my original article on the subject of Flash-based phishing attacks.

We are noticing a clear trend in which attackers are leveraging embedded software technologies in their attacks. For example, there was a recent cross-site scripting attack that takes advantage of the way some Adobe PDF file-viewing plugins work. The well-known Windows Metafile Vulnerability is similar. And we shouldn’t forget that attackers love to package malicious software inside humorous advertisements for beer (and a host of other goods and services I won't name here).

This trend should not come as a surprise. As the demand for rich content grows, so too will the number of components needed to render that content. Naturally, these components must interoperate, and the number of ways that they can talk to each other grows quite fast. Also, let’s not forget that much of this rich content is being created by individual end users. The overall system quickly becomes extremely complex.

Historically, we know that the most complex systems are often ripe with bugs and other security vulnerabilities. We’re just seeing history repeat itself. Fortunately, we can use our past experiences to help us address the seemingly new set of security challenges we face today.

Further reading:

My original blog entry on Flash-based phishing:
http://www.symantec.com/enterprise/security_response/weblog/2006/07/phlash_phishing.html

Hon Lau’s excellent blog entry on the Adobe PDF cross-site scripting attack:
http://www.symantec.com/enterprise/security_response/weblog/2007/01/when_pdfs_attack.html