14 DAY TRIAL // The German Ministry of Finance has swapped images loaded by phishing pages directly from its website with ones alerting users of the scams.
The loading of images or even code directly from impersonated websites is common in phishing scams that use local HTML documents instead of remotely hosted pages.
The number of phishing emails carrying HTML attachments has been increasing this year, especially of those using tax refund lures.
The technique helps attackers avoid URL blacklists which are fairly common today. With traditional methods once a phishing page is blacklisted the emails linking to it become worthless.
The use of HTML attachments increases the life expectancy of the scam, but this method has disadvantages too. One of them is that spam filters can detect the rogue emails easier.
When local pages are used, attackers usually load the images directly from the spoofed websites, thus opening a backdoor into their operation.
According to antivirus vendor G-Data, the German Finance Ministry took advantage of this backdoor recently to warn individuals targeted in a tax refund scam.
They did this by displaying alerts on images loaded from its own website. Ironically the German Finance Ministry is not even responsible for handling tax refunds. This is done by local tax offices.
This is not the first instance when image swapping has been used to turn the table on attackers. ImageShack regularly replaces spam images hosted on its service with warnings.
Of course, there are methods for phishers and spammers to avoid this. For example, images can also be embedded directly into HTML files using the data: URL scheme.
In addition, the method might not also be always feasible. The owners of frequently targeted websites might find it cumbersome to replace images each time they are spoofed in a phishing scam.
