Phishers resort to AES crypto to obfuscate phishing sites

Phishers have started employing AES encryption to disguise the real nature of phishing sites from automatic phishing detection tools.

This is the latest obfuscating trick in the fraudsters’ bag. They have previously used – and still do – JavaScript encryption tools, data URIs and character escaping to achieve the same goal.

Symantec researcher Nick Johnston analyzed the found phishing page (a online banking login page), and explained the procedure: “The page includes a JavaScript AES implementation, which it calls with the embedded password (used to generate the key) and embedded encrypted data (ciphertext). The decrypted phishing content is then dynamically written to the page using document.write(). This process happens almost instantly, so users are unlikely to notice anything unusual.”

The used encryption is important for keeping the website under security researchers’ radar for as long as possible and to make it more difficult to analyze.

“A casual, shallow analysis of the page will not reveal any phishing related content, as it is contained in the unreadable encrypted text,” Johnston noted.

No attempt has been made to hide the key or otherwise conceal what is going on – this is the initial “version” of this obfuscation technique, and will likely not be the final one. Phishing detection will improve, and fraudsters will have to keep pace in order to remain successful.