{"id":60137,"date":"2019-04-09T09:00:29","date_gmt":"2019-04-09T01:00:29","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=60137"},"modified":"2019-04-06T21:02:01","modified_gmt":"2019-04-06T13:02:01","slug":"%e7%b6%b2%e8%b7%af%e9%87%a3%e9%ad%9a%e5%88%a9%e7%94%a8%e7%80%8f%e8%a6%bd%e5%99%a8%e6%93%b4%e5%85%85%e5%a5%97%e4%bb%b6singlefile-%e8%a4%87%e8%a3%bd%e5%90%88%e6%b3%95%e7%b6%b2%e7%ab%99-%e9%81%bf","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=60137","title":{"rendered":"\u7db2\u8def\u91e3\u9b5a\u5229\u7528\u700f\u89bd\u5668\u64f4\u5145\u5957\u4ef6SingleFile \u8907\u88fd\u5408\u6cd5\u7db2\u7ad9, \u907f\u514d\u88ab\u5075\u6e2c"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/phishing\">\u7db2\u8def\u91e3\u9b5a<\/a>\u9760\u8457\u5192\u5145\u8eab\u4efd\u4f86\u5f15\u8a98\u6beb\u7121\u9632\u5099\u7684\u53d7\u5bb3\u8005\u4e0b\u8f09\u6a94\u6848\u6216\u9ede\u5165\u9023\u7d50\u7684\u7c21\u55ae\u6982\u5ff5,\u6210\u70ba\u7db2\u8def\u72af\u7f6a\u6b77\u4e45\u4e0d\u8870\u7684\u624b\u6cd5\uff0c\u4e0d\u904e\u7db2\u8def\u91e3\u5ba2\u4f7f\u7528\u7684\u7b56\u7565\u5df2\u7d93\u8d8a\u4f86\u8d8a\u52a0\u8907\u96dc\u3002\u8da8\u52e2\u79d1\u6280\u8fd1\u65e5\u767c\u73fe\u6709\u5229\u7528\u5408\u6cd5\u5de5\u5177<a href=\"https:\/\/chrome.google.com\/webstore\/detail\/singlefile\/mpiodijhokgodhhofbcjdecpffjipkle?hl=en\">SingleFile<\/a>\u4f5c\u70ba\u6df7\u6dc6\u624b\u6cd5,\u907f\u514d\u5075\u6e2c\u7684\u7db2\u8def\u91e3\u9b5a\u6d3b\u52d5\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"479\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/06\/gone-phishing.jpg\" alt=\"\u7db2\u8def\u91e3\u9b5a\u5229\u7528\u700f\u89bd\u5668\u64f4\u5145\u5957\u4ef6SingleFile \u8907\u88fd\u5408\u6cd5\u7db2\u7ad9, \u907f\u514d\u88ab\u5075\u6e2c\" class=\"wp-image-12914\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/06\/gone-phishing.jpg 700w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/06\/gone-phishing-300x205.jpg 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<p>SingleFile\u662f<a href=\"https:\/\/chrome.google.com\/webstore\/detail\/singlefile\/mpiodijhokgodhhofbcjdecpffjipkle?hl=en\">Google\nChrome<\/a>\u548c<a href=\"https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/single-file\/\">Mozilla\nFirefox<\/a>\u7684\u64f4\u5145\u5957\u4ef6\uff0c\u8b93\u4f7f\u7528\u8005\u80fd\u5920\u5c07\u7db2\u9801\u53e6\u5b58\u6210\u55ae\u4e00\u7684HTML\u6a94\u6848\u3002\u96d6\u7136\u700f\u89bd\u5668\u53ef\u4ee5\u8b93\u4f7f\u7528\u8005\u5c07\u7db2\u9801\u5132\u5b58\u70ba\u300c.htm\u300d\u6587\u4ef6\uff0c\u4f46\u9019\u901a\u5e38\u4ee3\u8868\u6703\u70ba\u7db2\u9801\u5167\u7684\u6240\u6709\u6a94\u6848\u5efa\u7acb\u591a\u500b\u8cc7\u6599\u593e\u3002SingleFile\u7c21\u5316\u4e86\u5132\u5b58\u7db2\u9801\u53ca\u6240\u6709\u6a94\u6848\u7684\u6d41\u7a0b\uff0c\u53ef\u4ee5\u61c9\u7528\u5728\u5404\u7a2e\u60c5\u5883\uff0c\u5982\u5132\u5b58\u6574\u500b\u7db2\u7ad9\u3002\u4f46\u5b83\u5c0d\u99ed\u5ba2\u4f86\u8aaa\u4e5f\u4e00\u6a23\u6709\u7528\uff0c\u56e0\u70ba\u6211\u5011\u767c\u73fe\u99ed\u5ba2\u6703\u5229\u7528SingleFile\u4f86\u6df7\u6dc6\u7db2\u8def\u91e3\u9b5a\u653b\u64ca\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/Phishing-SingleFile-1.png\" alt=\"Figure 1. Tool options for the Chrome version of SingleFile\"\/><\/figure>\n\n\n\n<p><em>\u57161. Chrome<\/em><em>\u7248SingleFile<\/em><em>\u7684\u5de5\u5177\u9078\u9805<\/em><\/p>\n\n\n\n<p>\u6211\u5011\u770b\u5230\u7684\u6a23\u672c\u986f\u793a\u7db2\u8def\u72af\u7f6a\u4efd\u5b50\u7528SingleFile\u8907\u88fd\u5408\u6cd5\u7db2\u7ad9\u7684\u767b\u5165\u9801\u9762\u9032\u884c\u7db2\u8def\u91e3\u9b5a\u6d3b\u52d5\u3002\u7522\u751f\u767b\u5165\u9801\u9762\u7684\u65b9\u6cd5\u5f88\u7c21\u55ae\uff1a<\/p>\n\n\n\n<ul><li>\u653b\u64ca\u8005\u9023\u4e0a\u8981\u4eff\u5192\u7684\u7db2\u7ad9\u767b\u5165\u9801\u9762\uff08\u6211\u5011\u6240\u770b\u5230\u6a23\u672c\u662f\u91d1\u6d41\u670d\u52d9\u7db2\u7ad9Stripe\uff09\u3002<\/li><li>\u63a5\u8457\u7528SingleFile\u5132\u5b58\u4e26\u7522\u751f\u5305\u542b\u6574\u500b\u7db2\u9801\u7684\u6a94\u6848\uff0c\u5305\u62ec\u4e86\u6240\u6709\u7684\u5716\u7247\uff08\u5132\u5b58\u70basvg\u6a94\uff09\u3002<\/li><\/ul>\n\n\n\n<p>\u5118\u7ba1\u9019\u624b\u6cd5\u5f88\u7c21\u55ae\u537b\u975e\u5e38\u6709\u6548\uff0c\u56e0\u70ba\u5b83\u5be6\u969b\u4e0a\u7522\u751f\u4e86\u8ddf\u539f\u59cb\u767b\u5165\u9801\u9762\u5b8c\u5168\u76f8\u540c\u7684\u7248\u672c\u3002<\/p>\n\n\n\n<!--more-->\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/Phishing-SingleFile-2.png\" alt=\" Figure 2. Comparison of the original Stripe log-in page (top) with the spoofed one based on the generated SingleFile page (bottom). The only noticeable difference is the URL. \"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/Phishing-SingleFile-3.png\" alt=\" Figure 2. Comparison of the original Stripe log-in page (top) with the spoofed one based on the generated SingleFile page (bottom). The only noticeable difference is the URL. \"\/><\/figure>\n\n\n\n<p><em>\u57162. <\/em><em>\u539f\u59cbStripe<\/em><em>\u767b\u5165\u7db2\u9801(<\/em><em>\u4e0a)<\/em><em>\u8207SingleFile<\/em><em>\u6240\u7522\u751f\u5c71\u5be8\u767b\u5165\u9801\u9762(<\/em><em>\u4e0b)<\/em><em>\u7684\u6bd4\u8f03\u3002\u552f\u4e00\u660e\u986f\u7684\u5340\u5225\u662f\u7db2\u5740\u3002<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/Phishing-SingleFile-4.png\" alt=\" Figure 3. Code showing images that are saved as .svg files with base64 encode\"\/><\/figure>\n\n\n\n<p><em>\u57163. <\/em><em>\u986f\u793a\u5c07\u5716\u6a94\u7528base64<\/em><em>\u7de8\u78bc\u5132\u5b58\u70ba.svg<\/em><em>\u6a94\u7684\u4ee3\u78bc<\/em><\/p>\n\n\n\n<p>\u5229\u7528SingleFile\u5efa\u7acb\u5c71\u5be8\u767b\u5165\u9801\u9762\u5728\u6df7\u6dc6\u7db2\u8def\u91e3\u9b5a\u4f01\u5716\u65b9\u9762\u975e\u5e38\u6709\u6548\uff0c\u56e0\u70ba\u8ddf\u5176\u4ed6\u50cf\u300cdocument.write(unescape(\u300d\u4f7f\u7528JavaScript\u7684\u6df7\u6dc6\u4f5c\u6cd5\u4e0d\u540c\uff0c\u7522\u751f\u7684\u7db2\u8def\u91e3\u9b5a\u7db2\u9801\u96b1\u85cf\u4e86\u767b\u5165HTML\u7a0b\u5f0f\u78bc\u53ca\u539f\u672c\u767b\u5165\u9801\u9762\u6240\u7528\u7684JavaScript\u800c\u4e0d\u88ab\u975c\u614b\u5075\u6e2c\u5de5\u5177\u767c\u73fe\u3002\u96d6\u7136\u57162\u986f\u793a\u51fa\u53ef\u4ee5\u5f88\u5bb9\u6613\u5730\u5f9e\u4e0d\u6b63\u5e38\u7db2\u5740\u4f86\u767c\u73fe\u7db2\u8def\u91e3\u9b5a\u653b\u64ca\uff0c\u4f46\u66f4\u7a4d\u6975\u7684\u99ed\u5ba2\u53ef\u80fd\u6703\u4f7f\u7528\u770b\u8d77\u4f86\u66f4\u52a0\u5408\u7406\u7684\u7db2\u5740\uff0c\u66f4\u80fd\u5920\u53bb\u8aaa\u670d\u76ee\u6a19\u53d7\u5bb3\u8005\u3002<\/p>\n\n\n\n<p>\u9019\u6ce2\u653b\u64ca\u5f88\u65b0\uff0c\u662f\u5f9e2019\u5e742\u670827\u65e5\u958b\u59cb\uff0c\u6211\u5011\u6240\u767c\u73fe\u7684\u6a23\u672c\u662f\u99ed\u5ba2\u57282019\u5e742\u670810\u65e5\u5132\u5b58\u7684\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/Phishing-SingleFile-5.png\" alt=\" Figure 4. The source code of the phishing page is generated by SingleFile. Note that information such as page saved date and the time zone can still be found in the code.\"\/><\/figure>\n\n\n\n<p><em>\u57164. <\/em><em>\u7db2\u8def\u91e3\u9b5a\u9801\u9762\u662f\u7528SingleFile<\/em><em>\u7522\u751f\u3002\u4ecd\u53ef\u4ee5\u5728\u4ee3\u78bc\u4e2d\u627e\u5230\u7db2\u9801\u5132\u5b58\u65e5\u671f\u548c\u6642\u5340\u7b49\u8cc7\u8a0a\u3002<\/em><\/p>\n\n\n\n<p>\u8acb\u6ce8\u610f\uff0c\u96d6\u7136\u672c\u6587\u5c55\u793a\u4e86SingleFile\u5982\u4f55\u88ab\u7528\u5728\u60e1\u610f\u7528\u9014\uff0c\u4f46\u9019\u4e26\u6c92\u6709\u5f71\u97ff\u5230\u64f4\u5145\u5957\u4ef6\u672c\u8eab\u7684\u5b89\u5168\u6027\uff0c\u5957\u4ef6\u4f7f\u7528\u8005\u4e5f\u4e0d\u6703\u53d7\u5230\u5f71\u97ff\u3002<\/p>\n\n\n\n<p><strong>\u5efa\u8b70\u548c\u89e3\u6c7a\u65b9\u6848<\/strong><\/p>\n\n\n\n<p>\u500b\u4eba\u548c\u7d44\u7e54\u90fd\u53ef\u4ee5\u9075\u5faa\u5c0d\u6297\u7db2\u8def\u91e3\u9b5a\u7684<a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/news\/cybercrime-and-digital-threats\/best-practices-identifying-and-mitigating-phishing-attacks\">\u6a19\u6e96\u6700\u4f73\u5be6\u4f5c<\/a>\u4f86\u6700\u5927\u7a0b\u5ea6\u5730\u6e1b\u5c11\u6b64\u653b\u64ca\u53ca\u7db2\u8def\u91e3\u9b5a\u7684\u5a01\u8105\u3002\u5305\u62ec\u4e86\uff1a<\/p>\n\n\n\n<ul><li>\u4efb\u4f55\u6709\u7570\u5e38\u7db2\u5740\u7684\u7db2\u7ad9\u90fd\u53ef\u80fd\u662f\u60e1\u610f\u7684\uff0c\u56e0\u70ba\u5927\u591a\u6578\u516c\u53f8\u7db2\u7ad9\u90fd\u6703\u5e36\u6709\u81ea\u5df1\u7684\u540d\u5b57\u6216\u54c1\u724c\u540d\u7a31\u3002<\/li><li>\u6709\u4e9b\u99ed\u5ba2\u6703\u5efa\u7acb\u770b\u8d77\u4f86\u985e\u4f3c\u5b98\u65b9\u7db2\u7ad9\u7684\u7db2\u5740\u3002\u56e0\u6b64\u4f7f\u7528\u8005\u61c9\u8a72\u8981\u4ed4\u7d30\u6aa2\u67e5\u9023\u4e0a\u7684\u7db2\u7ad9\u662f\u5426\u4f7f\u7528\u4e86\u6b63\u78ba\u7684\u7db2\u5740\u3002\u9019\u53ef\u4ee5\u900f\u904e\u67e5\u8a62\u641c\u5c0b\u5f15\u64ce\u9019\u6a23\u7c21\u55ae\u7684\u6b65\u9a5f\u5b8c\u6210\u3002<\/li><li>\u4f7f\u7528\u8005\u61c9\u8a72\u8981\u907f\u514d\u9ede\u5165\u4efb\u4f55\u901a\u904e\u96fb\u5b50\u90f5\u4ef6\u6536\u5230\u7684\u9023\u7d50\u6216\u4e0b\u8f09\u6a94\u6848\uff0c\u9664\u975e\u53ef\u4ee5\u7d55\u5c0d\u78ba\u5b9a\u5bc4\u4ef6\u8005\u662f\u5408\u6cd5\u4f86\u6e90\u3002<\/li><\/ul>\n\n\n\n<p>\u5c0d\u65bc\u66f4\u5168\u9762\u7684\u5b89\u5168\u89e3\u6c7a\u65b9\u6848\uff0c\u7d44\u7e54\u53ef\u4ee5\u8003\u616e\u4f7f\u7528\u5982\u8da8\u52e2\u79d1\u6280Cloud App\nSecurity\u9019\u6a23\u7684\u6280\u8853\uff0c\u8a72\u89e3\u6c7a\u65b9\u6848\u4f7f\u7528<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=55169\">\u6a5f\u5668\u5b78\u7fd2(Machine learning,ML)<\/a>\u4f86\u9032\u884c\u7db2\u9801\u4fe1\u8b7d\u8a55\u6bd4\u548c\u7db2\u5740\u52d5\u614b\u5206\u6790\u3002\u6b64\u5916\uff0c\u5b83\u9084\u80fd\u5920\u5075\u6e2c\u90f5\u4ef6\u672c\u6587\u53ca\u9644\u4ef6\u6a94\u5167\u7684\u53ef\u7591\u5167\u5bb9\uff0c\u4e26\u4e14\u63d0\u4f9b\u6c99\u7bb1\u60e1\u610f\u8edf\u9ad4\u5206\u6790\u548c\u6587\u4ef6\u6f0f\u6d1e\u653b\u64ca\u5075\u6e2c\u7b49\u6280\u8853\u3002<\/p>\n\n\n\n<p>\u540c\u6642\uff0c\u8da8\u52e2\u79d1\u6280\u7684\u7db2\u9801\u4fe1\u8b7d\u8a55\u6bd4\u670d\u52d9\u80fd\u5920\u4fdd\u8b77\u4f7f\u7528\u8005\u4e0d\u88ab\u4e0a\u8ff0\u6df7\u6dc6\u624b\u6cd5\u6240\u5f71\u97ff\u3002\u7db2\u9801\u4fe1\u8b7d\u8a55\u6bd4\u670d\u52d9\u57fa\u65bc\u8af8\u5982\u5b58\u5728\u6642\u9593\u3001\u4f4d\u7f6e\u7684\u6b77\u53f2\u8b8a\u5316\u53ca\u7528\u60e1\u610f\u8edf\u9ad4\u884c\u70ba\u5206\u6790\u6240\u767c\u73fe\u7684\u4efb\u4f55\u53ef\u7591\u6307\u6a19\u7b49\u56e0\u5b50\u4f86\u5206\u914d\u4fe1\u8b7d\u8a55\u6bd4\u5206\u6578\u4ee5\u78ba\u8a8d\u7db2\u5740\u7684\u53ef\u4fe1\u5ea6\u3002\u63a5\u8457\u5b83\u6703\u6383\u63cf\u7db2\u7ad9\u4e26\u5c01\u9396\u6709\u554f\u984c\u7684\u7db2\u7ad9\u3002<\/p>\n\n\n\n<p><strong>\u5165\u4fb5\u6307\u6a19\uff08IoC<\/strong><strong>\uff09<\/strong><\/p>\n\n\n\n<p>\u7db2\u5740\uff1ahxxps:\/\/malumkdixz[.]mld\/wx\/Ma\/<\/p>\n\n\n\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/phishing-attack-uses-browser-extension-tool-singlefile-to-obfuscate-malicious-log-in-pages\/\">Phishing\nAttack Uses Browser Extension Tool SingleFile to Obfuscate Malicious Log-in Pages<\/a>\n\u4f5c\u8005\uff1aSamuel P Wang<\/p>\n\n\n\nPC-cillin \u96f2\u7aef\u7248\u6574\u5408 AI \u4eba\u5de5\u667a\u6167\u7684\u591a\u5c64\u5f0f\u9632\u8b77\uff0c\u7cbe\u6e96\u9810\u6e2c\u5373\u6642\u62b5\u79a6\u672a\u77e5\u5a01\u8105 <a href=\"https:\/\/t.rend.tw\/?i=NzA3Mg==\">\u300b\u5373\u523b\u514d\u8cbb\u4e0b\u8f09\u8a66\u7528<\/a>\n\n<a href=\"https:\/\/t.rend.tw\/?i=NzA3Mg\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/Windows10Banner-540x90v5.gif\" \/><\/a>\n\n","protected":false},"excerpt":{"rendered":"<p>\u7db2\u8def\u91e3\u9b5a\u9760\u8457\u5192\u5145\u8eab\u4efd\u4f86\u5f15\u8a98\u6beb\u7121\u9632\u5099\u7684\u53d7\u5bb3\u8005\u4e0b\u8f09\u6a94\u6848\u6216\u9ede\u5165\u9023\u7d50\u7684\u7c21\u55ae\u6982\u5ff5,\u6210\u70ba\u7db2\u8def\u72af\u7f6a\u6b77\u4e45\u4e0d\u8870\u7684\u624b\u6cd5\uff0c\u4e0d\u904e\u7db2\u8def\u91e3 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[3765,65],"tags":[2284],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/60137"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60137"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/60137\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}