A Microsoft work-in-progress security update to repair the critical Windows MetaFile (WMF) security hole was accidentally released to security sites, the company said late Tuesday. "In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," Mike Reavy noted on the Microsoft Security Response Center Blog. "There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue keep up-to-date with our latest information on the WMF issue. "
Reavy said the update is still scheduled to be released Tuesday, Jan. 10 as part of Microsoft's regular monthly security advisory. With no official patch for the vulnerability, several prominent security organizations are recommending an unofficial patch developed by programmer Ilfak Guilfanov. On Tuesday Guilfanov's web site, Hexblog.com, was linked from posts at Slashdot and Digg, and soon was offline, apparently for exceeding its bandwidth allotment. The site came back online Wednesday, but the unofficial patch is being mirrored by numerous sites, including the Internet Storm Center, which has also provided an FAQ about the WMF vulnerability..
The Netcraft Toolbar has blocked more than 41,000 confirmed phishing URLs since its launch last Dec. 28. The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and November. With a year's worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams.
Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft. Many of these were "insta-spoofs" served from free sites or cracked machines, often via a botnet. Many of these spoof sites bear identical structures and file titles, suggesting deployment via kits that can be rapidly unpacked on a new machine.
While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs. More than 13,000 confirmed phishing sites used URLs that included either "paypal" or "ebay," usually as a subdirectory or filename. Of those, 3,659 used "look-alike" domain names designed to confuse the recipient. These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com). Nearly 4,700 phishing URLs contained the string "webscr," mimicking the genuine Paypal cgi script. Other URLs included "eBayISAPI," which appears in many eBay searches.
eBay and Paypal have more than 68 million active users between them, all of whom use e-mail, meaning bulk phishing e-mails will get a higher percentage of "hits" (recipients with accounts at the targeted institution) for eBay properties than other potential financial targets.
Phishing URL Trends: Of the total of 41,047 URLs examined in our analysis, the following trends were seen:
- 13,716 phishing URLs were hosted on raw IP addresses
- 8,785 phishing URLs contain '/.' (i.e. use a hidden directory on the web
- 2,104 specified a port number other than port 80
- 8 used cross-site scripting
- 6 were hosted on FTP servers
Phishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2005:
- Open redirects became a favorite method for phishing attacks to "borrow" the URL and credibility of a trusted web site. Redirects are common on large web sites, where server side scripts are employed to redirect users to different parts of the site. On banking sites, these redirects can be exploited by fraudsters to create a link that appears genuine, as it will appear to point to a page on the bank’s web site. When a user clicks on the link, they may be unaware that they have been redirected to the phishing site. This tactic was used this year in phishing attacks that redirected users from eBay's login page and a U.S. government site that managed relief for hurricane victims.
- Pharming attacks, which use DNS security breaches to invisibly redirect users, began appearing in live phishing scams in early 2005. Among the techniques employed was DNS cache poisoning, a sophisticated attack that is rare but allows malicious web sites to spoof trusted web brands, redirecting requests for legitimate financial sites to look-alike fraud sites.
In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press.
Case in point: The use of SSL certificates in phishing scams made headlines in September when a security vendor issued a press release warning of a scam in which a spoofed phishing site used a self-signed certificate, presenting a gold lock icon but also triggering a browser warning that the certificate was not recognized. In this case, the phishers were banking on the likelihood that many users will trust the padlock and ignore the certificate warning. Despite the attention, the attack wasn't particularly new or novel.
The Netcraft Toolbar community has identified many similar phishing attacks in which spoof sites use a certificate that can be expected to trigger a browser warning, in hopes that some victims will view the "Do you want to proceed?" pop-up and simply click "Yes." Numerous scams have used a hosting company's generic shared server SSL certificate with a spoof site housed on a "sound-alike" URL lacking its own certificate.
Do you know who checked that gold padlock in your web browser? Names like GeoTrust, Comodo, Starfield Technologies and Thawte will likely become more familiar to Internet users as browsers begin displaying the names of the issuers of SSL certificates that secure e-commerce web sites. These companies, known as certificate authorities, will gain visibility as the padlock icon indicating a secure connection moves to the address bar in Internet Explorer 7 and other new browser releases.
The move is part of a broader effort to improve Internet security, with Microsoft working with the developers of Firefox, Opera and Konqueror browsers to simplify the display of SSL certificate information. The unusual collaboration is driven by concerns about phishing, and is likely to bring changes in the SSL market, which has become more competitive lately following years of dominance by VeriSign.
An exploit has been released for a new security hole in phpBB, the popular web forum software. The attack has the potential to compromise any phpBB installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled