Security Headers is a concept and set of practices in web security that involves configuring HTTP response headers to enhance the security of web applications. These headers provide instructions to the web browser on how to behave when handling the web content and can mitigate various types of security risks.
Recently, phishing campaigns designed to steal one’s e-mail credentials have become increasingly popular. The stolen data are then used to carry out as many frauds (CEO Froud, BEC, Spear Phishing, Man in The Mail, etc.).
These generic phishing campaigns, i.e. requiring one to validate one’s password without displaying any logo of a third company (bank, credit card, etc.) are usually spread via IPFS Website or Web3 platforms (ipfs.io, cloudflare-ipfs.com, etc.).
In these phishing campaigns, the victim’s e-mail address, for instance, is present as a parameter:https://ipfs[.]io/ipfs/QmP1LNYqmBuUwC1qMLaTn7Ggpwv1Gpz42mHUh1hi7f2zp4#debug@wikipedia.com
The presence of the e-mail, in the URL, is essential for two reasons:
- The e-mail is graphically displayed on the phishing page to make the password request more valid;
- To emulate, in the background, the web domain of one’s e-mail, again to deceive the user and make the request more authoritative.
An example, to better understand:
In this screenshot, we see that the likely victim’s e-mail is shown verbatim and in the background the Wikipedia homepage.
The background is customized by the presence of an iframe in the original HTML code:
<iframe src="//wikipedia.com" id="mainPage" style="position: fixed; inset: 0px; width: 100%; height: 100%; border: none; margin: 0px; padding: 0px; overflow-x: hidden; z-index: 999;">
Your browser doesn't support iframes
</iframe>If you want to learn more about this technique, you can find a scan of the original HTML code on urlscan.io.
But thanks to security headers, we can prevent our website from being loaded externally via an iframe. This impediment certainly makes the phishing page less trustworthy. A further example can be seen with my personal domain, in this short video:
After applying the correct security headers we get this result:
As you will have seen in the second video, all the graphics from the draghetti.it domain are missing.
This is made possible by the implementation of Security Headers, in particular the ‘X-Frame-Options’ rule.
For more details on HTTP Headers you can look at the OWASP guide.
If you have a WordPress blog, you can take advantage of my htpw (.htaccess to protect WordPress) project to implement Security Headers and improve other security aspects as well.
[…] Security Headers to prevent phishing […]