Mime Sniffing and Phishing
Friday and today I got a very interesting URL highlighted by our spam traps. The URL looks like a JPG, and so I went to see what it was. I figured it’d be stock spam or pill spam or something. What I didn’t expect was what I got.
So, it turns out that the URL is designed for IE4+ users, and it takes advantage of mime sniffing. The Heise site described mime sniffing as:
Internet Explorer 4 introduced a fourth method, known as MIME sniffing, or mime type detection. So no version of IE now automatically assumes that a file taken from the web has the same content type as that stated by the server in the HTTP header. Nor does it trust the file name extension, or signature, on their own. Instead, Internet Explorer also examines the first 256 bytes of the file to determine its type
So that URL renders as a broken image in FireFox and Safari but OK in IE. You can see that the server response below. It sets “Content-Type: image/jpeg” but then serves up dynamic HTML. The browser, IE in this case, renders the phish.
The site, widutr67e8ds63e7dsz3edsx.land.ru has been blacklisted by a couple of sites. I don’t know how many correctly – or incorrectly – catch the phishing attack. The site uses a GMail drop, and Google’s been alerted, too.
Thanks Alex and N for cluing me in to what was afoot. These are the first phishing attacks I’ve seen using them, I don’t know how many I’ve missed over the months.