Phishing without a webpage – researcher reveals how a link *itself* can be malicious

The need for a reliable place to host your malicious website has been the bane of phishers for much of the last decade.

But, no longer.

Web browser, courtesy of ShutterstockA researcher at the University of Oslo in Norway says that page-less phishing and other untraceable attacks may be possible, using a tried and true internet communications standard: the uniform resource identifier, or URI.

Henning Klevjer, an information security student at the University of Oslo in Norway, suggests in a just-released research paper that it may be possible for attackers to dispense with phishing sites altogether, embedding their entire scam webpage in an encoded data URI that can be passed around from victim to victim.

URIs are strings of characters that identify a resource. The term encompasses the better-known Uniform Resource Locator (URL) and uniform resource name (URN). However, whereas URLs specify the location of a specific network resource and how it should be accessed (i.e. with HTTP, HyperText Transfer Protocol), URIs are more flexible and can even be used to host the data they “link” to.

Klevjer’s paper, “Phishing by data URI” [PDF], suggests ways that the malleability of the URI could be used to mask malicious content.


Read more on SOPHOS

It’s your turn to help!

All our instructions are completely free of any charge. If you like to support our work with a donation, your charitable contribution supports our team in their mission against malware.