The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.
Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.
Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.
PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.
Netcraft offers a Web Application Security Testing service, which can discover a number of security flaws, including cross-site scripting vulnerabilities like these.
An ongoing phishing attack against Citibank is using man-in-the-middle tactics against two-factor authentication to gain access to online banking accounts.
The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.
However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.
Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.
The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.
Netcraft offers a comprehensive range of phishing protection services, including Phishing, Identity Theft and Bank Fraud Detection, and a Phishing Site Feed, which offers realtime protection against new phishing attacks as soon as they are reported. Netcraft's Phishing Site Countermeasures service can be used to 'take down' fraudulent sites that are actively engaged in phishing attacks.
Doug Erwin has a big job ahead of him. As the new CEO of The Planet and EV1Servers, Erwin must blend the operations of the world's two largest dedicated server providers and position the new entity to compete in a rapidly-evolving sector of the hosting industry. But Erwin, an IT industry veteran, is used to large challenges. And GI Partners, the new owner of The Planet and EV1Servers, has plenty of ambition and a track record of building big.
The two Texas-based companies, which were acquired by GI Partners in early May, are plenty big already. The Planet and EV1Servers have more than 2.7 million hostnames between them, and between Dallas and Houston operate seven data centers and 370,000 square feet of web hosting space.
Customers of both companies are eager to hear what changes lie ahead. As he settled into his new position last week, Erwin said they'll need to wait a little longer. "In the next 30 days I'm going to put together the new management team, and I've committed to everyone that in the 30 days they'll know where their job is," said Erwin. "Within 90 days from today I intend to have our strategy completed. We don't even have a name for the company yet," he added, saying that all options remained on the table, including choosing between the two brands or adopting an entirely new name.
Ranking by Failed Requests and Connection time,
June 1st - 30th 2006
iPowerWeb is the most reliable hostinig company site in June, followed closely by Hostway, as budget hosts continue to demonstrate that their networks can compete with those of high-end managed hosting providers.
iPowerWeb's shared hosting accounts start at $7.95 a month for packages that include a free domain and 10 gigs of disk space. Hostway, which ties for second with Above.net this month, offers "SuperPower" shared hosting accounts that include 150 gigs of disk space and 1,500 gigs of data transfer (no, those aren't typos) starting at $9.95 a month.
Leading managed hosting providers continue to turn in strong performance, with Datapipe, Navisite, Rackspace and New York Internet all among the top 10, which included four sites on FreeBSD, three on Linux and two using Windows Server 2003. Of the 50 major hosts we monitor, 34 had no measurable outages in June.
In the July 2006 survey we received responses from
88,166,395 sites, an increase of 2.87 million (3.25%) from last month. The Internet continues to see strong hostname growth, and has now gained 14.1 million hostnames (19%) in 2006 for an average increase of more than 2 million per month.
It was a good month for the Apache web server, which gains 3.2 million hostnames. The improvement boosts Apache's market share by 1.8% to 63.25%, gaining back some of the ground it lost during several months of strong gains for Windows servers. The largest gains for Apache was at Oversee.Net, which added more than 0.58 million hostnames on the Linux/Apache platform. But Apache's growth in the hosting sector extends beyond Oversee.Net, as eleven other hosting companies added 20K or more hostnames on Apache.
Solaris has a loss of 953K hostnames, resulting in a loss of nearly half its market share (-1.1% to 1.5%). The decline occurred at a single host, Network Solutions, where access problems prevented us from obtaining a thorough tally.
Total Sites Across All Domains August 1995 - July 2006
|Developer||June 2006||Percent||July 2006||Percent||Change|
Potentially serious security flaws have been found in existing versions of the Mambo and Joomla content management systems, and developers of the two projects are advising users to install upgrades or security patches as soon as possible. Both programs are vulnerable to SQL injection attacks, which allow remote attackers to execute commands on the web server in by typing SQL code into form fields. Joomla is a fork of Mambo, with both programs derived from the same code base.
Mambo and Joomla are open source projects which use the PHP scripting language and MySQL database. These applications are popular with web site owners because they are powerful, user-friendly, and can be installed by users with little or no PHP coding experience. They are also frequently targeted by Internet criminals seeking to crack web servers for use in botnets, phishing scams and distributed denial of service (DDoS) attacks. The Internet Storm Center said it is receiving reports that older versions of Mambo are being actively targeted and exploited using unpatched vulnerabilities.