A new phishing framework called GhostFrame, built around a stealthy iframe architecture, has been linked to more than a million attacks, cybersecurity experts at Barracuda have found.
This attack kit distinguishes itself from known Phishing-as-a-Service (PhaaS) offerings by its innovative approach to evasion and deception.
How Does GhostFrame Work?
GhostFrame’s design focuses on a simple HTML file that presents itself as a harmless landing page, while hiding its malicious behavior within an embedded iframe. This structure allows attackers to:
- Change phishing content: Actual phishing content can be adjusted or changed without modifying the visible page.
- Adjust regional targeting: Allows attackers to customize the campaign based on the victim’s location.
- Avoid scanners: The external page does not present the typical phishing markers, making it difficult to detect by security tools.
Barracuda notes that while abuse of iframes is common, this is the first time an entire phishing framework structured around this technique has been identified.
The Attack Chain and Evasion Techniques
GhostFrame’s attack chain unfolds in two stages. The visible external page relies on light obfuscation and dynamic code that generates a new subdomain for each visitor.
Hidden in the external code, a series of pointers loads a secondary phishing page within the iframe. This internal page contains the actual credential harvesting components. Attackers have hidden this malicious code within a function designed for the transmission of very large files, allowing it to bypass static detection tools.
The kit uses emails with varied topics, from fake contract notices to human resources updates. Subject lines include “Contract Notification and Secure Proposal,” “Annual Review Reminder,” or “Password Reset Request.”
Anti-Analysis Controls and Code Samples
Barracuda identified two forms of GhostFrame’s source code: one obfuscated and one readable, the latter of which contains developer comments.
The phishing kit incorporates rigorous anti-analysis controls to hinder inspection by researchers and analysts:
- Keyboard Shortcut Blocking: Disables actions such as F12, right-click, and other common shortcuts used to inspect page code.
- Interaction Restriction: Limits the Enter key, preventing attempts to easily save or browse the page.
GhostFrame also uses random subdomains for delivery. A payload script validates each subdomain before revealing the malicious iframe and manages the browser environment based on messages sent from the iframe. If the scripts fail, a hardcoded fallback iframe ensures that the attack continues.
Recommended Defensive Measures
To defend against GhostFrame and similar threats, Barracuda recommends a multi-layered security strategy:
- Regular browser updates: Ensure web browsers are updated to mitigate known vulnerabilities.
- Staff training: Educate employees to avoid unsolicited links and carefully check URLs.
- Implementation of filters: Deploy email gateways and web filters to identify suspicious iframes.
- Iframes Restriction: Limit embedding of iframes on corporate sites and scan for injection risks.
- Network Monitoring: Monitor the network for unusual redirects or suspicious embedded content.
A layered security approach is essential to protect both emails and employees from GhostFrame and other stealthy phishing attacks.