Phishers Exploit Open Redirect on U.S. Government Site

A phishing attack is exploiting an open redirect on a U.S. government web site to gain credibility for bogus e-mails promising an IRS tax refund. The scam e-mail offers an IRS refund of $571 to recipients if they click on a link to, a legitimate federal web site that has recently been promoted by President Bush as a tool to streamline relief for victims of Hurricane Katrina.

An open redirect on the web site allows phishers to craft a URL that uses the URL but instead sends users to a web server in Italy and a phishing site seeking to steal their bank login details and Social Security number.

Netcraft's Anti-Fraud Open Redirect Detection Service assists web site owners in detecting open redirects that could allow criminals to misuse their sites in Internet scams. Online banking sites are under active scrutiny by fraudsters, who are keen to detect and exploit opportunities to run their frauds on banks’ own sites. Taking advantage of programmer mistakes in web applications, fraudsters have been able to run phishing scams on sites belonging to Visa, Mastercard, SunTrust, Charter One, and Citizens Bank.

Netcraft can perform an automatic search of a customer’s web sites to scan for possible redirection URLs in use, on a daily basis, thereby promptly trapping redirects introduced by inadvertent web design and application development.

Hacked Server Exposes Brokerage Customers’ Data

Online brokerage Scottrade says a server compromise at a service provider may have exposed the financial details of its customers, including banking account information and Social Security numbers. The security breach follows warnings from U.S. securities regulators that hackers and phishing fraudsters have stepped up their targeting of online investors, prompting enhanced education efforts by brokerage firms and the U.S. government.

Scottrade, which has 1.4 million customers, said it was notified Oct. 25 that a hacker had compromised a server at eCheck Secure, an electronic payment service provided by The Troy Group Inc. "As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised," read the message to investors.

Continue reading

Google Closes Security Holes in Google Base

Google has fixed a security hole in Google Base that would have exposed sensitive information stored by users of Google's services. The cross site scripting vulnerabilities discovered by British Computer Scientist Jim Ley would allow an attacker to steal cookies and other information from users, while providing fraudsters with the facility to publish their own forms and receive input using an apparently reassuring Google Base URL.

Google Base will spearhead the search giant's entry into classified advertising and payment processing, where it will compete with established offerings from eBay and CraigsList. If it succeeds, Google Base will likely accelerate a trend which has seen a growing percentage of advertising dollars shift to the web and away from television, magazines and especially newspapers, which rely heavily on classified ads for revenue. Strong application security is important to gain user confidence in the service, as Google Base is eventually expected to integrate a micropayment system (presumably Google Payments).

Google's move towards a single Google Account for multiple services exacerbates the problem, as the same account used by the Google Base site can also be used to access financially sensitive services such as AdWords and AdSense, and Google's GMail webmail service.

Ley, who also recently found a similar security vulnerability in Yahoo Maps, says that there is a pervasive problem with companies releasing new applications on to the Web with easy-to-find vulnerabilities still present. Too little thought is given to the consequences of such action, which in the case of an identity or data theft scenario on a very widely used service could be severe for a correspondingly large number of people.

The nature of the problems discovered by Ley provides fraudsters with the tools to create phishing sites with a good level of plausibility because the base URL would be that of a well-known brand - in this case Google or Yahoo. This is the same in principle to that scenario whereby fraudsters try to find open redirects or cross site scripting vulnerabilities on bank sites to improve the authenticity of their frauds. The importance of testing to remove application vulnerabilities is proportional to the level of trust the public places in the service and the impact of this trust being broken.

Netcraft provides a range of services for companies to eliminate these kinds of errors from their systems, including comprehensive application testing, training for developers and designers of web based applications, and an service aimed specifically at detecting and reporting Open Redirects.

Report a phishing site, gain a chance to win an Ipod

In October we received and reviewed more than 8,700 unique URLs reported to us as phishing sites; by far the busiest month to date.

To further incentivise people reporting phishing sites, each accepted report is now treated as a ticket in a monthly draw for a top of the range iPod.

The October draw was won by Alan. Alan has been one of the largest and most accurate reporters of phishing sites, with several hundred reports accepted to date.

“Every day I feel that I'm doing my small bit to make the Internet a safer place.” said Alan."It's good that there are still people on the Internet who try hard to make it better. Some of them are well known companies like Netcraft, some of us are just anonymous individuals trying to do our bit. As well as the satisfaction of a job well done, it's a lot of fun to have a shiny new toy to play with."

Including the toolbar community itself and customers of ISPs using our Phishing site feed, well over a million people are now protected from phishing by the Netcraft Toolbar.

The Netcraft Toolbar is available for both Internet Explorer and Firefox, and serves as a giant neighborhood watch scheme for the Internet, in which members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Reporting a Suspicious URL

When you visit a page that you believe to be a phishing site, or contains fraudulent or deceptive content, we ask that you report it so that other toolbar users will benefit from your vigilance. The more sites that are reported, the more useful the toolbar will become for everyone.

You can report a URL by clicking on "Report a Phishing Site" in the toolbar menu, accessed by clicking on the Netcraft logo:


After you report a URL, Netcraft will review the report and block the page if we confirm it as part of a phishing attack.

Sony DRM Patch Creates Serious Security Hole

A patch for Sony's controversial digital rights management (DRM) software opens a serious security hole when installed on a Windows machine, according to security researchers from Princeton University. The revelation deepens a public relations nightmare for Sony, which has said it will stop selling music CDs which install the DRM monitoring program when the CD is played, and will replace disks that have already been sold.

"The consequences of the flaw are severe," Ed Felten and Alex Halderman write in their weblog. "It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get."

Security researcher Dan Kaminsky has surveyed Internet nameservers, and found that at least 568,000 DNS servers have received queries unique to the operation of the Sony DRM software, meaning at least that many computers (and probably more) have the problematic rootkit installed. A subset of those will also have the security hole installed by Sony's attempted fix.

Continue reading

Malware Knocks Virtual World Offline

A gaming "virtual world" has been knocked offline for the second time in a month by malware distributed by players within the game. Second Life, an innovative online game with more than 80,000 users, took its entire system down for more than five hours Thursday after an instant messaging bot overwhelmed the game grid with a huge volume of messages. A similar incident on Oct. 23 also caused a lengthy system outage when a user program automatically generated more than 5 billion spheres inside the game.

A user-designed multiplayer world, Second Life encourages programmers and graphic artists to create virtual goods and services to sell, and allows players to convert game currency into real-world cash via an online exchange.

Continue reading