Hundreds of thousands of web sites that continue to run the Windows NT4 face a security dilemma, with no public patch available for a vulnerability in a key Windows networking protocol. The critical flaw in the Server Message Block (SMB) protocol could allow remote attackers to seize control of servers.
Microsoft addressed the SMB issue in its February security update. But the monthly Windows patches no longer include fixes for Windows NT4, which is beyond its end-of-life and remains vulnerable to SMB exploits, according to an advisory from eEye Security.
Microsoft retired NT Server 4.0 on Dec. 31, and now only offers custom paid support for the eight-year old OS. But about 1.1 percent of web-facing hostnames continue to run on Windows NT4, according to this month's Web Server Survey. Thousands of those hostnames are on SSL-enabled web sites which may be conducting e-commerce.(more...)
Phishing operations have begun using DNS wildcards and URL encoding to create email links that display the URLs of legitimate banking sites, but send victims to spoof sites designed to steal their login details. A wildcard DNS record (*.example.com) will resolve all requests that are not matched by any other record. Wildcards are typically used to manage errant or mistyped e-mail addresses, but have been routinely abused by spammers.
In recent weeks wildcard DNS settings have been used in a wave of phishing attacks on Barclays Bank, in which the "bait" email included URLs starting with barclays.co.uk, followed by a lengthy sequence of letters and symbols. Several examples:
http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/ http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2 http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/
The phishers use a wildcard DNS setting at a third-party redirection service (kickme.to) to construct the URLS. The wildcard allows the display of URLs beginning with "barclays.co.uk," which is followed by a portion of the URL which is encoded to obscure the actual destination domain.(more...)
A new attack using DNS cache poisoning has raised concerns about "pharming," a next-generation phishing scam in which malware or DNS hacks are used to invisibly redirect victims to spoofed web sites.
DNS cache poisoning injects false information into DNS servers, which route Internet traffic by matching domain names with IP addresses at web hosts, allowing hackers to redirect users to bogus web sites. In Saturday's attack, a known vulnerability in Symantec firewalls was exploited to change information on a small number of local DNS servers, sending requests for Google.com, eBay.com and Weather.com to a trio of hacker sites (7sir7.com, 123xxl.com and abx4.com) that attempted to install spyware on vistors' computers.(more...)
The development teams for Firefox and Opera have updated the browsers to address URL spoofing using Internationalized Domain Names (IDN), allowing users to visit IDN domains but be protected from phishing attacks. The attacks do not affect Microsoft's Internet Explorer, the most widely-used web browser, which does not support IDN names.
Firefox 1.0.1 will display IDNs as punycode in the browser's address bar, allowing users to detect phishing attacks using potentially deceptive uses of IDNs. The new approach can be seen on the original demo demonstrated by the Shmoo Group, which uses a Unicode link to display www.theshmoogroup.com in the status bar of affected browsers, but sent users to www.xn--theshmogroup-bgk.com. The status bar now displays the unspoofed URL:
An update of phpBB has been released to address new security holes in the open source application. The disclosure comes on the heels of several recent security incidents involving phpBB, which is among the web's most popular web forum programs.
"One of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users to upgrade to this release as soon as possible," the phpBB Group said in its advisory. The security fixes address multiple bugs that disclose the full path to system files in phpBB, which is powered by the PHP server-side scripting language. A vulnerability reported by iDefense could, under some configurations, allow malicious users to view system files.(more...)
The Mozilla development team said today that it will disable a browser feature that allows URL spoofing and could leave users open to scams. Upcoming releases of the Firefox and Mozilla browsers will turn off support for Internationalized Domain Names (IDN) by default to protect users from the spoofing, which works in current versions of Firefox, Mozilla, Opera and the Safari browser for Macs. The affected browsers support IDN, while Microsoft's Internet Explorer does not.
The spoof exploits flaws in how the browsers interpret Unicode, a broad character set used in IDN that allows URLs to include non-English characters. Unicode can be used to craft "homographic" attacks, in which two different combinations of characters in an HTML link can display the same URL in the browser, but send users to different sites. URL spoofing exploits are useful to Internet phishing scams, making it easier to trick victims into sharing sensitive information with bogus web sites constructed by fraudsters.(more...)