Mime Sniffing and Phishing

Friday and today I got a very interesting URL highlighted by our spam traps. The URL looks like a JPG, and so I went to see what it was. I figured it’d be stock spam or pill spam or something. What I didn’t expect was what I got.

hxxp://widutr67e8ds63e7dsz3edsx.land.ru/ViewItehewgast627ewaduj23ew7sd.jpg

So, it turns out that the URL is designed for IE4+ users, and it takes advantage of mime sniffing. The Heise site described mime sniffing as:

Internet Explorer 4 introduced a fourth method, known as MIME sniffing, or mime type detection. So no version of IE now automatically assumes that a file taken from the web has the same content type as that stated by the server in the HTTP header. Nor does it trust the file name extension, or signature, on their own. Instead, Internet Explorer also examines the first 256 bytes of the file to determine its type

So that URL renders as a broken image in FireFox and Safari but OK in IE. You can see that the server response below. It sets “Content-Type: image/jpeg” but then serves up dynamic HTML. The browser, IE in this case, renders the phish.

mime_sniffing and phishing.png

The site, widutr67e8ds63e7dsz3edsx.land.ru has been blacklisted by a couple of sites. I don’t know how many correctly – or incorrectly – catch the phishing attack. The site uses a GMail drop, and Google’s been alerted, too.

Thanks Alex and N for cluing me in to what was afoot. These are the first phishing attacks I’ve seen using them, I don’t know how many I’ve missed over the months.

2 Responses to “Mime Sniffing and Phishing”

March 07, 2009 at 7:57 am, salem said:

hi mr.Jose Nazario
am a PhD student working on social engineering ..
one part of my study is the phishing attacks, am going to analyse phishing emails that you have collected from 2004-2007

firstly I would like to excuse you to do some analysis on that groups of emails and for sure I will recite you on my references
secondly am asking if you have more collections in 2008, that will help to get more accurate
figure about how do phishing emails behave..

am happy if we can co-operate for any work, that would be my pleasure

my email..
osasalem at bradford.ac.uk

regards
salem

NOTE – i edited the email address to make it less spam harvester friendly (jose)

May 30, 2009 at 9:28 am, Survey: “MIME/Content-Type-Sniffing” Issues in Image Uploads in Forum Scripts « NOTHING SPECIAL said:

[…] [3] /blog/asert/2009/03/mime-sniffing-and-phishing/ [4] http://bugs.php.net/bug.php?id=47359 [5] […]

Comments are closed.