Hackers are actively seeking out unpatched versions of the Mambo content management system, which recently repaired a serious security hole. The latest exploit attempts target a different vulnerability than the Mare.D worm, which grabbed headlines last month but apparently did limited damage to Mambo sites. Sites running on Mambo should upgrade to the latest version as soon as possible.
On Feb. 24 James Bercegay of GulfTech Security Research announced vulnerabilities in Mambo that could allow a server compromise by a remote attacker, including several methods of an SQL injection attack. Bercegay also found a way for attackers to use Mambo's file inclusion features to breach system security. Last July Bercegay discovered a weakness in XML-RPC libraries used by numerous PHP-based blogging and content management apps.(more...)
Security holes in PHP-based content management and forum apps are an increasingly active front in Internet security, as hackers target unpatched weaknesses. The latest example is Monday's hack of chip maker AMD's customer support forums, in which an older version of Invision Power Board was compromised and used to distribute malware using the Windows Metafile (WMF) exploit.
While Windows flaws like the WMF vulnerability are useful to hackers assembling armies of compromised desktop computers, security holes in PHP applications provide access to more powerful servers hooked directly to high-speed network connections.
Internet criminals have targeted unpatched vulnerabilities in open source CMS apps including phpBB, PostNuke, Mambo, Drupal and others, hoping to build botnets for use in phishing scams and distributed denial of service (DDoS) attacks. Compromised web forums hosted more than 600 phishing spoof sites identified by the Netcraft Toolbar Community in 2005 (as noted in our Year in Phishing roundup).
The DDoS capabilities of server-based zombies was demonstrated in a December attack by a large botnet of Linux machines, in which attackers flooded their target with more than 6 gigabytes of data per second. Hosting providers with multiple IP addresses being used in the botnet included Level 3, Savvis, AT&T WorldNet, 1&1 Internet, Interland and The Planet. The network used in the December attack was assembled by exploiting known security holes, including a vulnerability in the Limbo CMS that had been patched at least six weeks earlier.(more...)
ChoicePoint will pay $10 million in civil penalties and another $5 million to set up a fund to compensate consumers whose financial records were exposed in a massive data breach last year, the Federal Trade Commission (FTC) announced today. The fine is believed to be the largest ever for a security incident, and signals Washington's growing impatience with corporate security breaches.
"The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves," said Deborah Platt Majoras, Chairman of the FTC. "Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America."
ChoicePoint provides data to credit providers, government agencies and landlords. Earlier today it reported $1.1 billion in revenue for 2005. In late 2004 criminals using falsified credentials were able to sign up for sensitive ChoicePoint services and access account information for 163,000 consumers, the FTC said.(more...)
The Netcraft Toolbar blocked more than 41,000 phishing attacks in its first year. To get the new year off to a good start, Netcraft will send a top of the range iPod [or item of equivalent value for anyone who has already received a "Thanks for all the Phish" commemorative iPod from Netcraft] to the five people who have the largest number of phishing reports accepted during January, and a Netcraft sweatshirt to the 50 people with the next largest numbers of accepted reports.
To track the progress, we have created a leaderboard displaying the people with the largest number of accepted reports so far in January, identified by their first names to preserve their anonymity.
Including the toolbar community itself and customers of ISPs using our Phishing site feed, well over a million people are protected from phishing by the Netcraft Toolbar.
The Netcraft Toolbar is available for both Internet Explorer and Firefox, and serves as a giant neighborhood watch scheme for the Internet, in which members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.Reporting a Suspicious URL
When you visit a page that you believe to be a phishing site, or contains fraudulent or deceptive content, we ask that you report it so that other toolbar users will benefit from your vigilance. The more sites that are reported, the more useful the toolbar will become for everyone.
You can report a URL by clicking on "Report a Phishing Site" in the toolbar menu, accessed by clicking on the Netcraft logo:
After you report a URL, Netcraft will review the report and block the page if we confirm it as part of a phishing attack.
A Microsoft work-in-progress security update to repair the critical Windows MetaFile (WMF) security hole was accidentally released to security sites, the company said late Tuesday. "In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," Mike Reavy noted on the Microsoft Security Response Center Blog. "There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue keep up-to-date with our latest information on the WMF issue. "
Reavy said the update is still scheduled to be released Tuesday, Jan. 10 as part of Microsoft's regular monthly security advisory. With no official patch for the vulnerability, several prominent security organizations are recommending an unofficial patch developed by programmer Ilfak Guilfanov. On Tuesday Guilfanov's web site, Hexblog.com, was linked from posts at Slashdot and Digg, and soon was offline, apparently for exceeding its bandwidth allotment. The site came back online Wednesday, but the unofficial patch is being mirrored by numerous sites, including the Internet Storm Center, which has also provided an FAQ about the WMF vulnerability..(more...)
The Netcraft Toolbar has blocked more than 41,000 confirmed phishing URLs since its launch last Dec. 28. The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and November. With a year's worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams.
Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft. Many of these were "insta-spoofs" served from free sites or cracked machines, often via a botnet. Many of these spoof sites bear identical structures and file titles, suggesting deployment via kits that can be rapidly unpacked on a new machine.
While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs. More than 13,000 confirmed phishing sites used URLs that included either "paypal" or "ebay," usually as a subdirectory or filename. Of those, 3,659 used "look-alike" domain names designed to confuse the recipient. These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com). Nearly 4,700 phishing URLs contained the string "webscr," mimicking the genuine Paypal cgi script. Other URLs included "eBayISAPI," which appears in many eBay searches.
eBay and Paypal have more than 68 million active users between them, all of whom use e-mail, meaning bulk phishing e-mails will get a higher percentage of "hits" (recipients with accounts at the targeted institution) for eBay properties than other potential financial targets.
Phishing URL Trends: Of the total of 41,047 URLs examined in our analysis, the following trends were seen:
- 13,716 phishing URLs were hosted on raw IP addresses
- 8,785 phishing URLs contain '/.' (i.e. use a hidden directory on the web server)
- 2,104 specified a port number other than port 80
- 8 used cross-site scripting
- 6 were hosted on FTP servers