Data URI Phishing with King Phisher
One of the newest techniques being blogged about in the security world is phishing through the data URI. Thanks to a viral Twitter post, many sites like Wordfence have published specific advisories to warn users about this type of attack. What makes this technique so effective is the ability to create a convincing address in the address bar. Most security awareness training today focuses on reading the address bar closely to ensure it doesn’t contain a misspelling or clever use of a subdomain, but as we’ve seen this can easily be circumvented. Until users begin to use ScriptBlock or a second factor, the best way to combat this attack is through training. KingPhisher has the functionality to perform these types of tests right out of the box with little additional configuration.
Setup
Assuming you have the King Phisher client and it’s connected to your King Phisher email server, we’re going to set our Web Server URL to be forwarder separate from our login page. For the sake of this exercise, we are going to call our forwarding page authorization.html and the page we want users to submit credentials on login.html.
Configure the Pages
Now to configure our redirection. The target URL should look something like this:
Notice what’s going on here. I am creating an invisible iframe with my credential collection page underneath. We must pass it the Jinja tag client.message_id so visits and submissions will be recorded for each user.
If you want to take it a step further, you can escape this all to make it a little harder for humans to read. The output should look similar to this:
You can do this yourself with Javascript or simply use an online tool if you prefer. Notice the large amount of %20 (space) characters.
Now for the actual redirection. There are a number of different ways to perform a quick redirect, but I will opt for window.location here. Your final contents of authorization.html should look something like this:
Send the Campaign
Make sure you are pointing King Phisher towards your own webserver where authorization.html lives and fire away! The individual ID and user ID will be forwarded from your redirection page directly to the underlying login page in the invisible frame. Here’s what it looks like from the user’s end in Chrome:
Thanks to @xxDigiPxx for the inspiration and proof of concept.