Phishers Exploit Open Redirect on U.S. Government Site

A phishing attack is exploiting an open redirect on a U.S. government web site to gain credibility for bogus e-mails promising an IRS tax refund. The scam e-mail offers an IRS refund of $571 to recipients if they click on a link to govbenefits.gov, a legitimate federal web site that has recently been promoted by President Bush as a tool to streamline relief for victims of Hurricane Katrina.

An open redirect on the govbenefits.gov web site allows phishers to craft a URL that uses the govbenefits.gov URL but instead sends users to a web server in Italy and a phishing site seeking to steal their bank login details and Social Security number.

Netcraft's Anti-Fraud Open Redirect Detection Service assists web site owners in detecting open redirects that could allow criminals to misuse their sites in Internet scams. Online banking sites are under active scrutiny by fraudsters, who are keen to detect and exploit opportunities to run their frauds on banks’ own sites. Taking advantage of programmer mistakes in web applications, fraudsters have been able to run phishing scams on sites belonging to Visa, Mastercard, SunTrust, Charter One, and Citizens Bank.

Netcraft can perform an automatic search of a customer’s web sites to scan for possible redirection URLs in use, on a daily basis, thereby promptly trapping redirects introduced by inadvertent web design and application development.

Solid Performance for Firefox Download Site

The download site for Firefox is performing well following the release of a widely-anticipated update of the open source web browser. Firefox version 1.5, which was released Tuesday night, features "dozens of enhancements," according to the Mozilla Corporation, including improvements in popup blocking, RSS integration and updating.

Firefox download site performanceA distributed network of mirror sites in more than 30 countries appears to be handling current download demand with few difficulties. The download.mozilla.org site, which redirects traffic to the mirrors, has had good response time today and fared well during a Slashdotting Tuesday night. That's a contrast with last year, when the mozilla.org web site was slowed by heavy demand after Firefox 1.0 was released. The browser has since been downloaded more than 112 million times. While that number reflects multiple downloads by some enthusiasts, the growth of Firefox places a premium on efficient handling of new releases.

A dynamically updating chart of the site performance for download.mozilla.org is available here.

Microsoft Launches Free Email Services for Domain Owners

Microsoft has launched the beta version of its Windows Live Custom Domains service, which offers e-mail and instant messaging service for existing domains. The free service offers up to 20 e-mail accounts per domain, with each mailbox featuring scanning for junk mail and viruses, as well as 250 megabytes of storage space - adding up to a storage limit of 5 gigabytes of e-mail for each domain.

With Windows Live Custom Domains, Microsoft can offer e-mail services to business users who want a free solution but are reluctant to use its existing Hotmail service. Tying the new offering to an existing domain makes it easier to address any abuse of the service for spamming, which historically has been a major issue for free e-mail services.

Continue reading

Hacked Server Exposes Brokerage Customers’ Data

Online brokerage Scottrade says a server compromise at a service provider may have exposed the financial details of its customers, including banking account information and Social Security numbers. The security breach follows warnings from U.S. securities regulators that hackers and phishing fraudsters have stepped up their targeting of online investors, prompting enhanced education efforts by brokerage firms and the U.S. government.

Scottrade, which has 1.4 million customers, said it was notified Oct. 25 that a hacker had compromised a server at eCheck Secure, an electronic payment service provided by The Troy Group Inc. "As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised," read the message to investors.

Continue reading

Yahoo, iPowerWeb Slash Domain Prices to Below $3

Web hosting provider iPowerWeb has slashed its domain name pricing to $2.95 a year, following the lead of Yahoo, which is offering limited-time domain pricing of $2.99 a year. iPowerWeb's promotional offer undercuts the lowest prices seen among current market leaders, and is a sign that Yahoo's continuing promotions are pressuring competitors to respond, planting the seeds for further domain price cutting.

Netfirms ($4.95 a year) and 1&1 Internet ($5.99 a year) are currently offering the lowest non-promotional pricing on domain names, which are viewed as an important "gateway" purchase by small business customers who are likely to be shopping for web hosting and e-commerce services as well. Yahoo has been particularly aggressive in using domain pricing to attract new users, with "permanent" pricing of $9.98 supplemented by limited-time offers of $4.98 and now $2.99 a year.

Continue reading

Google Closes Security Holes in Google Base

Google has fixed a security hole in Google Base that would have exposed sensitive information stored by users of Google's services. The cross site scripting vulnerabilities discovered by British Computer Scientist Jim Ley would allow an attacker to steal cookies and other information from users, while providing fraudsters with the facility to publish their own forms and receive input using an apparently reassuring Google Base URL.

Google Base will spearhead the search giant's entry into classified advertising and payment processing, where it will compete with established offerings from eBay and CraigsList. If it succeeds, Google Base will likely accelerate a trend which has seen a growing percentage of advertising dollars shift to the web and away from television, magazines and especially newspapers, which rely heavily on classified ads for revenue. Strong application security is important to gain user confidence in the service, as Google Base is eventually expected to integrate a micropayment system (presumably Google Payments).

Google's move towards a single Google Account for multiple services exacerbates the problem, as the same account used by the Google Base site can also be used to access financially sensitive services such as AdWords and AdSense, and Google's GMail webmail service.

Ley, who also recently found a similar security vulnerability in Yahoo Maps, says that there is a pervasive problem with companies releasing new applications on to the Web with easy-to-find vulnerabilities still present. Too little thought is given to the consequences of such action, which in the case of an identity or data theft scenario on a very widely used service could be severe for a correspondingly large number of people.

The nature of the problems discovered by Ley provides fraudsters with the tools to create phishing sites with a good level of plausibility because the base URL would be that of a well-known brand - in this case Google or Yahoo. This is the same in principle to that scenario whereby fraudsters try to find open redirects or cross site scripting vulnerabilities on bank sites to improve the authenticity of their frauds. The importance of testing to remove application vulnerabilities is proportional to the level of trust the public places in the service and the impact of this trust being broken.

Netcraft provides a range of services for companies to eliminate these kinds of errors from their systems, including comprehensive application testing, training for developers and designers of web based applications, and an service aimed specifically at detecting and reporting Open Redirects.