Phishing fraudsters have begun using industry-standard AES-256 encryption to disguise the content of fraudulent sites.

Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools are commonly used but Symantec recently caught what it reckons is the first use of AES-256 encryption in dodgy sites designed to hoodwink consumers into handing over their login credentials.

"The site used AES to hide the phishing page content", Paul Wood, manager of cyber security intelligence at Symantec, told El Reg. The tactic is designed to make the analysis of phishing sites more difficult for security researchers without interfering with how sites are presented to victims, as a blog post by Symantec explains.

The page includes a JavaScript AES implementation, which it calls with the embedded password (used to generate the key) and embedded encrypted data (ciphertext). The decrypted phishing content is then dynamically written to the page. This process happens almost instantly, so users are unlikely to notice anything unusual. Once decryption is complete, the phishing site is shown as normal. A casual, shallow analysis of the page will not reveal any phishing related content, as it is contained in the unreadable encrypted text.

The techniques in play, which are essentially designed to give phishing sites a slightly longer shelf life before the inevitable smackdown, is far from foolproof and wide open to improvement. For example, no attempt is made to hide the key or otherwise conceal what is going on. "However, we expect that as phishing detection matures further and improves in effectiveness, attacks like this will become more sophisticated," writes Symantec security researcher Nick Johnston.

The fraudulent site itself poses as a banking website that's only noteworthy because of the use of AES-256 in its underlying code.

Cybercrooks across the spectrum of villainy are starting to use industry-standard encryption to push their wares. For example, the notorious CryptoLocker ransomware scrambles files on infected Windows PCs using RSA public-key cryptography before demanding a ransom from victims of $300 or more, payable in Bitcoin. Security firms Fox-IT and FireEye began offering a free recovery service to victims in August, but this service was only possible because of the recovery of a cache of private keys from a seized server – not through any break in the crypto scheme used by the cybercrooks.

Security researchers at Dell SecureWorks recently revealed how cybercrooks have taken to using steganography – the art of hiding secret information within another image or message file – to run a click-fraud scam. ®