Yesterday should have been a day for headlines about progress in the battle against phishing scams. Instead, the news was dominated by a new threat that drove home the need for vigilance on the anti-phishing frontier.
Seeking swifter action against fast-moving phishing scams, some of the Internet's best-known service providers announced plans to share phishing attack data with one another and law enforcement agencies through Digital Phishnet. But even as this anti-phishing dream tream was being unveiled, security researchers revealed a security hole that makes it easier for phishing operations to inject content into legitimate web sites.
Secunia documented a cross-browser security flaw that is likely to be rapidly adopted by phishing operations. The technique uses a specially-crafted link to a legitimate website, which then enables the scammer to place content into pop-up windows opened during the session - including data collection forms that spoof the design of the legitimate site.
A facility in SunTrust Bank's www.suntrust.com web site is allowing fraudsters to inject their own code into the site to obtain SunTrust customer account authentication details, and at least one fraudster has exploited this error by sending large numbers of electronic mails purporting to be from SunTrust, asking the user to confirm their bank account on his form, executed from SunTrust's web site.
The phishing emails received by Netcraft contain the following HTML to create a hyperlink to the SunTrust web site:
Fraudsters have noticed opportunities in SunTrust's internet banking operations previously, and a similar attack was executed in September.
Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank's own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.
Netcraft has highlighted the threat of cross site scripting and script injection used for fraud, and provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications.
SCO's web site now proudly proclaims "We own all your code" and "pay us all your money".
Some people might claim that this just represents a simplification in SCO's stance on Unix intellectual property but a closer look reveals that the prominent image on their home page was the work of an attacker.
In addition to the two comments made by the image, a woman is also depicted writing "Hacked by realloc()", which corresponds to the same person responsible for an attack on the site yesterday.
Technology news site The Register today identified its ad serving provider, Falk AG, as the source of banner ads which spread an IFRAME exploit via its web site for more than six hours Saturday. The Register apologized to its readers and recommended that they check their machines for infections.
Reports Saturday noted that the exploit appeared on numerous European sites, but it appears U.S sites may have been affected as well. An analysis of the exploit by LURHQ noted that "one of the hacked sites included a well-known Hollywood film studio's website." Falk AG's client list includes numerous entertainment properties, including NBC/Universal, The Golf Channel, The A&E Network and Sony Pictures Digital. The Dutch news site Nu.nl has also acknowledged hosting the banner exploits.
The Register said it is pursuing details of the event from Falk, which is expected to have public comment about the incident Monday. The LURHQ analysis said some versions of the complex exploit installed adware onto users' computers, while other versions downloaded remote-access trojan.(more...)
Banner ads appearing on popular European web sites have been directing traffic to sites that install malware on visitors' computers, according to the Internet Storm Center. The attacks are exploiting an unpatched flaw in the way Internet Explorer 6 handles the IFRAME tag.
"Some high profile sites with banner ads are linking to servers that have the exploit and malicious code," according to an advisory on the ISC web site. The attack is an expanded version of banner-based exploits that first surfaced earlier this year. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. It is not clear whether the malicious code was being spread through a compromised ad server, or through specific banners submitted to ad networks.(more...)
A young Italian computer scientist has discovered another phishing opportunity on one of Google's web sites. This bug affects the googlesyndication.com domain, which Google use to serve their text and image based adverts.
The discovery comes only days after a similar bug was found with the Google Desktop search tool. As Google spread their technology over a greater number of application areas, the possibility for error increases; which could explain the recent stream of discoveries as they fall victim to public scrutiny.
Salvatore Aranzulla's web site contains information about his discovery of the bug (Italian). He also demonstrates some URLs that can be used to exploit the bug.