Visual Spoofing Offers new Opportunities for Phishers

A new technique called "visual spoofing" provides a way for Internet phishing scams to convincingly mimick the web sites of banks and credit card companies. The technique alters the user interface of the web browser, substituting images for parts of the browser interface that would normally help users detect the fraud.

Visual spoofing, as outlined by Don Park, uses javascript links to launch a new browser window without scrollbars, menubars, toolbars and the status bar. This coding trick is commonly used to launch pop-up ads. In visual spoofing, these GUI elements are replaced by images, allowing the site creator to substitute a fake status bar containing the URL for a legitimate site, along with an image of a "lock" indicating a secure SSL site. Park has posted a demo of the technique, which works in multiple browsers. End users have the ability to configure their browser to prevent this behavior.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Such scams have multiplied in recent months, with many taking advantage of a bug in Internet Explorer that made it easier for fraudsters to simulate the URLs of target financial institution.

Microsoft issued a patch to repair that problem on Feb. 2. Visual spoofing does not rely on the URL spoofing, relying instead on the fake images to accomplish the deceipt.

DDoS may have ended, but www.sco.com not yet back in the DNS

The www.sco.com hostname remains out of the DNS, three days after the denial of service attack connected to the MyDoom virus was scheduled to finish. Computers infected by MyDoom, which at one point estimated to be more than 400,000, were programmed to launch a DDoS on SCO's main web site Feb. 1 and end the attack Feb. 12, this past Thursday.

However, SCO have not yet put ww.sco.com back into the DNS, perhaps indicating that varients of the virus may be continuing the attack, or perhaps simply that they perceive that the cost/benefit of the site has become unfavourable.

% host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)

SCO took www.sco.com out of the DNS shortly after the attack began Feb. 1, and began using www.thescogroup.com as an alternate site. That URL has also experienced performance problems at first, but has been available in recent days.

A dynamically updating table of the sites affected by the MyDoom DDoS is available here.

Windows Leak: Security Problems of Open Source, Without the Benefits

Security experts say this week's leak of partial source code for Windows 2000 and Windows NT probably won't mean a huge change in the security of Windows machines. The leaked code - about 15 million lines of the Win2K operating system's 35 million lines of code - isn't substantial enough for pirates to create wholesale copies, but may provide additional ammunition for hackers and virus writers.

"The leak will do some damage to the security of Windows machines, but it's not clear how much," said Ed Felten of Princeton University, a security researcher who has reviewed Windows source code and was an expert witness in the antitrust case against Microsoft. "There's a longstanding debate about the security implications of open source development. Source code access makes it easier to find security bugs. With open source, you make it easier for honest outsiders to find bugs, which is good, but you also make it easier for malicious outsiders to find bugs, which is bad.

"This kind of leak give us the worst of both worlds: honest outsiders will avoid looking at the stolen code, while malicious outsiders use the code; so you get the security drawbacks of open source without the security benefits," Felten added. "This will only matter, though, if the bad guys would otherwise have trouble finding bugs, which may not be the case."

Continue reading

More Patches in Pipeline from Microsoft

eEye Digital Security has savaged Microsoft for taking more than six months to patch a critical security vulnerability in Windows' implementation of ASN.1, which says it identified in July 2003. Marc Maiffret branded the response "ridiculous" and has produced a web page detailing three additional high impact security vulnerabilities that the firm reported to Microsoft more than three months ago.

According to eEye, the vulnerabilities include a remote exploit that could allow attackers to gain system privileges, and a denial of service strategy that could "total system failure." Both vulnerabilities were reported Sept. 10, and affect default installations of Windows in use on more than 300 million computers, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. eEye reported an additional high-risk remote exploit on Oct. 8.

Continue reading

DoomJuice.B Refines DDoS Attack Against Microsoft

A new version of the DoomJuice worm seeks to launch a more effective denial of service attack on Microsoft's web site tomorrow, according to F-Secure.

The new worm, DoomJuice.B, sets random HTTP headers to make it more difficult to filter the attack traffic, seeking to work around a defensive measure used by Microsoft earlier this week, when www.microsoft.com dropped requests without User-Agent headers to differentiate between Web browsers and the DDoS attack agents. The DoomJuice.B DDoS also initiates twice as many requests as its predecessor, launching 32-192 parallel threads instead of the 16-96 of DoomJuice.A.

Continue reading

www.microsoft.com probably under siege from DDoS

Microsoft's main web site at www.microsoft.com experienced performance problems this morning, probably due to a DDoS attack launched by a new version of the MyDoom virus.

Microsoft web site performance

A dynamically updating graph is available here, with performance data for all the sites involved in the MyDoom DDoS located here.

This morning at around 9am GMT response times to www.microsoft.com surged, and for a time the site failed to respond. Subsequently, the www.microsoft.com began dropping requests without User-Agent headers, apparently to differentiate between traffic from Web browsers and the DDoS attack agents. Our monitoring requests, which do not normally set a User-Agent, were also dropped. These were changed to supply a user-agent header on requests to www.microsoft.com around 2pm GMT and have since seen mixed results, with relatively normal results from London, but some extended and erratic response times from Atlanta, New York and Texas.

General internet connectivity has not been noticeably impaired with 41 of 52 leading hosting company sites experiencing no failed requests in the last 24 hours.