How your pictures may affect your website reputation

Published: 2017-03-04
Last Updated: 2017-03-04 07:13:18 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

In a previous diary[1], I explained why the automatic processing of IOC’s (“Indicator of Compromise”) could lead to false positives. Here is a practical example found yesterday. I captured the following malicious HTML page (MD5: b55a034d8e4eb4504dfce27c3dfc4ac3)[2]. It is part of a phishing campaign and tries to lure the victim to provide his/her credentials to get access to an Excel sheet. Nothing very dangerous for most people. It’s a simply obfuscated Javascript code:

<script type="text/javascript">
document.write(unescape("%3c%68%74%6d%6c%3e%3c%68%65%61%64%3e ... ")

When loaded in the browser, it first displays a warning:

Then, it renders the fake Excel sheet with a popup to enter an email address and password:

If you analyse this page manually or using a sandbox system, you will see that it performs three HTTP Request to download pictures. My Cuckoo sandbox detected the following HTTP requests (sorry for the small fonts):

The detected URLs are:

  • hxxp:// : The dialog box
  • hxxp:// : The fake Excel sheet is a picture exchange platform and is regularly used to host such material. But the third request is different and looks totally legit:

  • hxxp://

This last image is an animated GIF that displays a loading bar (close to the “Starting" string on the picture above).

There exists plenty of versions of this loader bar[3] and attackers like them. It’s not unusual to see one on a malicious page to make it look more “dynamic”.  The problem is that automation can categorize the website as malicious and affect its reputation. If a tool decides to put the URL in a list of IOC's, access to it can be blocked when IOCs are used as a blocklist. I also tested this page with a FireEye appliance and the site popped up in the logs!

A good practice is to prevent hot-linking of images. Basically, you configure your web server to serve images only of the referer is correct:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Take care!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

1 comment(s)


eweew<a href="">mashood</a>
dwqqqwqwq mashood
[ |]
What's this all about ..?
password reveal .

Diary Archives