Anti Phishing Tools

 

EPAY - Electronic Payment Application for You - (updated 2007-07-29)

 
 
Protection against... Detection... Ease to install
User usage
(green=easy)
  funds transfert simple phishing MITM phishing ISP pharming trojan keylogger advanced trojan before-fraud after-fraud
 
 N/A
N/A 
N/A 
 
 
N/A
N/A
 
 

Goal : protect user's credit card number from formgrabbing malware for electronic payment services
Installed by : business lines

The web page where the user is offered to insert his credit card number, validity date and CVV will obfuscate the field values at the end of the process when the user has finished and is about to press the "Checkout" button. At this moment, the page will call a javascript function which will change the values in obfuscate values. When the ACTION method will be called, the formgrabbing hook will try to catch field's values but data will be inconsistent.

My opinion: This solution is quite easy to install and can be relevant against formgrabbing malware but it won't help against keyloggers. Again, it could be possible to add a virtual keypad to reduce the risk and make keyloggers useless, in this case, only screenscrapers could capture data.

 

Javascript part (obfuscate.js) (can be used in a .js or inside the html page)

<script>
function obfuscate(random){
 var xor_key=random;
 var account = document.forms['form1'].elements["account"].value;
 var cvv = document.forms['form1'].elements["cvv"].value;
 var valid_month = document.forms['form1'].elements["valid_mont"].value;

 var enc_account="";
 var enc_cvv="";
 var enc_valid_month="";

 for(i=0;i<account.length;++i)
 {
  enc_account+=String.fromCharCode(xor_key^account.charCodeAt(i));
 }
 for(i=0;i<cvv.length;++i)
 {
  enc_cvv+=String.fromCharCode(xor_key^cvv.charCodeAt(i));
 }
 for(i=0;i<valid_month.length;++i)
 {
  enc_valid_month+=String.fromCharCode(xor_key^valid_month.charCodeAt(i));
 }

 document.forms['form1'].elements["account"].value=enc_account;
 document.forms['form1'].elements["cvv"].value=enc_cvv;
 document.forms['form1'].elements["valid_month"].value=enc_valid_month;

 return true;
}
</script>


 

User page (this page is generated by an application server. PHP is used as an example here)

Here we suppose the server previously generated a sessionid number and a random seed relating to this sessionid number and placed both somewhere in a database. Only sessionid number is visible in the user form. This aims at providing a random value unseen by the malware.

...
<script language="javascript" src="obfuscate.js">
</script>


<form name="form1" method="POST" action="checkout.php">
 <table>
 <tr>
  <td>
   Account : <input type="text" name="account" size="16">
  </td>
 </tr>
 <tr>
  <td>
   CVV : <input type="text" name="cvv" size="3">
  </td>
 </tr>
 <tr>
  <td>
   Expires on :
   <input type="text" name="valid_month" size="2">
   <input type="text" name="valid_year" size="2">
  </td>
 </tr>
 <tr>
<?
// Get the random value from the database and use it to obfuscate fields values
  $mysql_link=mysql_connect("server_location","user1", "password");
  mysql_select_db("mydatabase",$mysql_link);
  
  $query = "SELECT seed FROM session_table WHERE sessionid=".$sessionid;
  $seed = mysql_query ($query) or die (mysql_error ());

  echo "<input type=\"button\" value=\"Checkout\" onclick=\"obfuscate($seed)\">";
  echo "<input type=\"hidden\" name=\"sessionid\" value=\"$sessionid\">";
?>   
 </tr>
 </table>
</form>

...