Security Holes in WordPress Blogging Tool

Security vulnerabilities have been found in WordPress, the popular PHP-based open source blogging application. Some scripts in WordPress are not properly validated, leaving the program open to cross-site scripting (XSS) attacks in which third parties could insert content into a WordPress-driven site.

Wordpress has grown in popularity in recent months, emerging as a leading free alternative to Movable Type, which alienated many users with new licensing terms. The vulnerability could allow hackers to create a URL that generates pages in WordPress from content created by the hacker, rather than the site owner. An unsuspecting user following such a link would be sent to the trusted WordPress-based site, but encounter fake content that could include a range of exploits, such as links that infect their computers with spyware or trojans.

Continue reading Says New Defenses Stymie DDoS Attack, which handles credit card transactions for online merchants, says new defensive measures have helped deflect a persistent distributed denial of service (DDoS) attack that caused sporadic outages last week. “successfully installed industry leading solutions designed to negate the impact of (DDoS) attacks,” the company said over the weekend. “These installations are successfully thwarting a current and sustained attack with no DDoS-related degradation to our service whatsoever.” Site Performance

Continue reading

Consolidation Hits Web Site Payment Processors

It's been a turbulent month for companies offering credit card processing for web site operators. PaySystems discontinued its third-party transaction processing service Aug. 16, and last week's operations were disrupted by a distributed denial of service (DDoS) attack.

Now the status of online payment processor iBill is in flux after its acquisition by Care Concepts Inc. was rescinded. Both Care Concepts and the seller, Penthouse International, say they hope to complete the deal at a future date.

Continue reading

JPEG Exploit Attempt Sent to Newsgroups

A JPEG image that tries to use a Windows security hole to seize control of an Internet user’s computer has been released to Usenet newsgroups, according to a post on the BugTraq mailing list.

Security groups are split on whether the image succeeds in its attempt, but most agree that the incident is a precursor to a more ambitious exploit with improved code. Others maintain that fears of a “JPEG of Death” wreaking havoc on the Internet are overdone, even as reports emerge that the vulnerability in Microsoft’s Graphic Device Interface (GDI) is showing up in numerous non-Microsoft applications.

The malicious JPEG was sent to several Usenet newsgroups that post pornographic images. Some security researchers say early tests show the exploit crashes Windows XP machines when it is opened, but stops short of compromising computers. But maintainers of EasyNews, a web-based interface for reading Usenet, say the image installs a trojan. “Once this JPEG overflowed GDI+, it phoned home, connected to an ftp site and downloaded almost 2 megs of stuff,” according to a message from EasyNews. “It installs a trojan that installs itself as a service.”

Continue reading

Phishers Manipulate SunTrust Site to Steal Data

A new phishing attack alters the SunTrust Bank web site, allowing fraudsters to collect customer authentication details using the bank’s own site. The attack inserts a form into a frameset within the investor relations area of the SunTrust web site, giving the outward appearance that it is part of the bank’s official site.

The spoofed page includes a form and asks the user to provide their Social Security number, ATM card number, ATM password/PIN, and the last four digits of their Suntrust account. The “bait” in this phishing scam is an email with the subject “SunTrust Bank - Suspicious Activity Suspected” with a spoofed return address of “” The mail tells SunTrust customers that “your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information.” The mail includes a link to the investor relations page of the SunTrust site, which is manipulated to insert the spoofed page from a remote server at the IP address, located at Lund University in Sweden.

The page being exploited on the SunTrust site is a framed page, an HTML structure that displays the text of one web page within another. SunTrust was using the technique to display third-party content from, which provides outsourced investor relations information for corporations. The page was linked from SunTrust's home page with the following URL:


Visitors with knowledge of HTML can easily recognize that the page at the first URL is inserting the second page into a frame. The phishers constructed a similar URL, using the "source=" technique to insert a web page from a different remote server. The URL is obfuscated in the e-mail, making it appear to be a legitimate link to the SunTrust web site. A similar obfuscation of the link on SunTrust's site would have made the vulnerability less obvious. Having the ability to hijack the financial institution's own site is a big step forward for fraudsters, as it makes their attack much more plausible.

SunTrust Banks, Inc., is headquartered in Atlanta, Georgia, and is among the largest commercial banks in the U.S. As of June 30 SunTrust had total assets of $128.1 billion and total deposits of $85.5 billion. In a statement on its web site, Suntrust says "security is the most important issue SunTrust faces in making Internet Banking available for our customers. Using industry standard security techniques ensures that your personal financial information remains confidential."

Opportunities for fraudsters to inject their own forms into banks and other financial institutions' sites are common, but until now, not widely taken advantage of and customers of internet banking systems can expect a spate of similar attacks to follow.

Netcraft provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications.

As More Exploits Emerge, Security Groups Prep for JPEG Attack

The Internet security community is preparing for a working virus or worm attack based on the Microsoft JPEG exploit revealed last week. Several samples of working exploit code have been published on security web sites and mailing lists, and antivirus vendors have quickly updated their products to defend against the attacks.

The critical security hole allows a remote attacker to create a JPEG image that, when viewed in Microsoft software programs, could allow the hacker to gain control of the computer. The flaw was revealed by Microsoft Sept. 14, along with a security update that addresses it. Code that partially exploits the flaw was published last week, and has been rapidly developed into code that could be used in a virus or worm.

The latest exploit, published this morning on the Full Disclosure mailing list, claims to be able to create an administrator-level account on Windows machines. Another published exploit reported by AusCERT allows the excution of code on the remote machine.

Continue reading