• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > Running a Data URI Phishing Campaign with King Phisher

Running a Data URI Phishing Campaign with King Phisher

January 19, 2017 By Mike

Data URI Phishing with King Phisher

One of the newest techniques being blogged about in the security world is phishing through the data URI. Thanks to a viral Twitter post, many sites like Wordfence have published specific advisories to warn users about this type of attack. What makes this technique so effective is the ability to create a convincing address in the address bar. Most security awareness training today focuses on reading the address bar closely to ensure it doesn’t contain a misspelling or clever use of a subdomain, but as we’ve seen this can easily be circumvented. Until users begin to use ScriptBlock or a second factor, the best way to combat this attack is through training. KingPhisher has the functionality to perform these types of tests right out of the box with little additional configuration.

Setup

Assuming you have the King Phisher client and it’s connected to your King Phisher email server, we’re going to set our Web Server URL to be forwarder separate from our login page. For the sake of this exercise, we are going to call our forwarding page authorization.html and the page we want users to submit credentials on login.html.

Configure the Pages

Now to configure our redirection. The target URL should look something like this:

 

Notice what’s going on here. I am creating an invisible iframe with my credential collection page underneath. We must pass it the Jinja tag client.message_id so visits and submissions will be recorded for each user.

If you want to take it a step further, you can escape this all to make it a little harder for humans to read. The output should look similar to this:

You can do this yourself with Javascript or simply use an online tool if you prefer. Notice the large amount of %20 (space) characters.

 

Now for the actual redirection. There are a number of different ways to perform a quick redirect, but I will opt for window.location here. Your final contents of authorization.html should look something like this:

Send the Campaign

Make sure you are pointing King Phisher towards your own webserver where authorization.html lives and fire away! The individual ID and user ID will be forwarded from your redirection page directly to the underlying login page in the invisible frame. Here’s what it looks like from the user’s end in Chrome:

 

 

Thanks to @xxDigiPxx for the inspiration and proof of concept.

 

 

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Mike

Penetration tester and former educator.

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.