Phishers always try to come up with new tricks to bypass phishing toolbars. So, it’s not really surprising that we've now seen several phishing websites that are using Flash-based content instead of normal HTML. The main objective for the use of Flash-based content is to avoid phishing detection by toolbars that analyze page content.
Symantec has observed some recent examples all targeting reputable brands. These sites look like genuine front pages, but they are actually Flash recreations.
As shown in the above snapshot, if we right click on the Web page it reveals some program options such as "Zoom In," "Show All," and "play" options in the menu instead of the normal options you would see on an HTML page. When you type in login information, the .swf (Shockwave Flash) file displays a new page, asking for your credit card information, as we can see in the below snapshot.
It is possible that financial institution websites may host marketing graphics in the form of a vulnerable Flash applet. Attackers can easily build a phishing site that mimics a legitimate site. The attackers will then trick customers into clicking on a malicious link on the phishing site in order to launch a maliciously crafted Flash applet. The attackers are able to execute an .swf file that injects malicious code variables that forces customers’ authentication cookies (login credentials) to be sent directly to the attackers.
Attackers have begun using Flash animation to create spoof sites as a strategy to defeat automated anti-phishing services that scan the text of a page in search of suspect phrases (the brand names of financial institutions, for example). When phrases such as these are picked up they will usually identify the page as a phishing scam. Even spiders (search engines) will not be able to read or understand the site if it is Flash-based.
Flash phishing attacks do require a Flash player to already be installed. Users without Flash installed will be redirected to a download site by the malicious phishing sites. If users refuse to download the Flash player, the site will not be viewable. Phishers have begun to develop ways to counteract this problem by providing separate pages for Flash and non-Flash visitors.
Flash-based sites also require considerable time to load, especially on machines with slow Internet connections. Phishers previously shifted from HTML to JavaScript to make it harder to analyze a page's source code, and the use of Flash represents the next step in this evolution. Flash attacks are becoming more common, so we need to keep a close eye on this. Be assured that Symantec is doing so and will keep you informed of any updates on this trend.