95% of HTTPS servers vulnerable to trivial MITM attacks

Only 1 in 20 HTTPS servers correctly implements HTTP Strict Transport Security, a widely-supported security feature that prevents visitors making unencrypted HTTP connections to a server.

The remaining 95% are therefore vulnerable to trivial connection hijacking attacks, which can be exploited to carry out effective phishing, pharming and man-in-the-middle attacks. An attacker can exploit these vulnerabilities whenever a user inadvertently tries to access a secure site via HTTP, and so the attacker does not even need to spoof a valid TLS certificate. Because no crypto-wizardry is required to hijack an HTTP connection, these attacks are far easier to carry out than those that target TLS, such as the recently announced DROWN attack.

Background

The growth of HTTPS has been a mostly positive step in the evolution of the internet, enabling encrypted communications between more users and websites than ever before. Many high profile sites now use HTTPS by default, and millions of TLS certificates are currently in use on the web. With companies like Let's Encrypt offering free certificates and automated management tools, it is also easier than ever to deploy an HTTPS website that will be trusted by all modern browsers.

The primary purpose of a TLS certificate is to allow a browser to verify that it is communicating with the correct website. For example, if https://www.example.com uses a valid TLS certificate, then a man-in-the-middle attacker would not be able to hijack a browser's connection to this site unless he is also able to obtain a valid certificate for that domain.

A man-in-the-middle attack like this is generally not possible if the customer uses HTTPS.

A man-in-the-middle attack like this is generally not possible if the initial request from the customer uses HTTPS.

It would be extremely difficult for the attacker to obtain a valid certificate for a domain he does not control, and using an invalid certificate would cause the victim's browser to display an appropriate warning message. Consequently, man-in-the-middle attacks against HTTPS services are hard to pull off, and often not very successful. However, there are plenty of realistic opportunities to use the unencrypted HTTP protocol to attack most HTTPS websites.

HTTP Strict Transport Security (HSTS)

Encrypted communications are an essential requirement for banks and other financial websites, but HTTPS alone is not sufficient to defend these sites against man-in-the-middle attacks. Astonishingly, many banking websites lurk amongst the 95% of HTTPS servers that lack a simple feature that renders them still vulnerable to pharming and man-in-the-middle attacks. This missing feature is HTTP Strict Transport Security (HSTS), and only 1 in 20 secure servers currently make use of it, even though it is supported by practically all modern browsers.

Each secure website that does not implement an HSTS policy can be attacked simply by hijacking an HTTP connection that is destined for it. This is a surprisingly feasible attack vector, as there are many ways in which a user can inadvertently end up connecting via HTTP instead of HTTPS.

Manually typed URLs often result in an initial insecure request, as most users do not explicitly type in the protocol string (http:// or https://). When no protocol is given, the browser will default to HTTP – unless there is an appropriate HSTS policy in force.

To improve accessibility, most secure websites also run an HTTP service to redirect users to the corresponding HTTPS site – but this makes them particularly prone to man-in-the-middle attacks if there is no HSTS policy in force. Not only would many users be accustomed to visiting the HTTP site first, but anyone else who visits the site via an old bookmark or search engine result might also initially access the site via an insecure HTTP address. Whenever this happens, the attacker can hijack the initial HTTP request and prevent the customer being redirected to the secure HTTPS website.

This type of attack can be automated with the sslstrip tool, which transparently hijacks HTTP traffic on a network and converts HTTPS links and redirects into HTTP. This type of exploit is sometimes regarded as a protocol downgrade attack, but strictly speaking, it is not: rather than downgrading the protocol, it simply prevents the HTTP protocol being upgraded to HTTPS.

NatWest's online banking website at www.nwolb.com lacks an HSTS policy and also offers an HTTP service to redirect its customers to the HTTPS site. This setup is vulnerable to the type of man-in-the-middle attack described above.

NatWest's online banking website at www.nwolb.com lacks an HSTS policy and also offers an HTTP service to redirect its customers to the HTTPS site. This setup is vulnerable to the type of man-in-the-middle attack described above.

Vulnerable sites can be attacked on a massive scale by compromising home routers or DNS servers to point the target hostname at a server that is controlled by the attacker (a so-called "pharming" attack). Some smaller scale attacks can be carried out very easily – for example, if an attacker sets up a rogue Wi-Fi access point to provide internet access to nearby victims, he can easily influence the results of their DNS lookups.

Even if a secure website uses HTTPS exclusively (i.e. with no HTTP service at all), then man-in-the-middle attacks are still possible. For example, if a victim manually types www.examplebank.com into his browser's address bar—without prefixing it with https://—the browser will attempt to make an unencrypted HTTP connection to http://www.examplebank.com, even if the genuine site does not run an HTTP service. If this hostname has been pharmed, or is otherwise subjected to a man-in-the-middle attack, the attacker can hijack the request nonetheless and eavesdrop the connection as it is relayed to the genuine secure site, or serve phishing content directly to the victim.

In short, failing to implement an HSTS policy on a secure website means attackers can carry out man-in-the-middle attacks without having to obtain a valid TLS certificate. Many victims would fall for these attacks, as they can be executed over an unencrypted HTTP connection, thus avoiding any of the browser's tell-tale warnings about invalid certificates.

Implementing HSTS: A simple one-liner

The trivial man-in-the-middle attacks described above can be thwarted by implementing an appropriate HSTS policy. A secure website can do this simply by setting a single HTTP header in its responses:

    Strict-Transport-Security: max-age=31536000;

This header can only be set over an HTTPS connection, and instructs compatible browsers to only access the site over HTTPS for the next year (31,536,000 seconds = 1 year). This is the most common max-age value, used by nearly half of all HTTPS servers. After this HSTS policy has been applied, even if a user manually prefixes the site's hostname with http://, the browser will ignore this and access the site over HTTPS instead.

The combination of HSTS and HTTPS therefore provides a good defence against pharming attacks, as the attacker will not be able to redirect and intercept plaintext HTTP traffic when a client obeys the HSTS policy, nor will he be able to present a valid TLS certificate for the site he is impersonating.

The attacker cannot even rely on a small proportion his victims unwisely ignoring the use of an invalid certificate, as browsers must regard this situation as a hard fail when an HSTS policy is in force. The browser will simply not let the victim access the site if it finds an invalid certificate, nor will it allow an exception to be added.

When Google Chrome encounters an invalid certificate for a site that has an effective HSTS policy, the victim is not allowed to bypass the browser's warning message or add an exception.

When Google Chrome encounters an invalid certificate for a site that has an effective HSTS policy, the victim is not allowed to bypass the browser's warning message or add an exception.

To prevent other types of attack, it is also wise to add the includeSubDomains directive to ensure that every possible subdomain of a site is protected by HSTS. This mitigates cookie injection and session fixation attacks that could be executed by impersonating an HTTP site on a non-existent subdomain such as foo.www.example.com, and using it to set a cookie which would be sent to the secure site at https://www.example.com. This directive can be enabled like so:

    Strict-Transport-Security: max-age=31536000; includeSubDomains

However, some thought is required before taking the carte blanche approach of including all subdomains in an HSTS policy. The website's administrators must ensure that every single one of its subdomains supports HTTPS for at least the duration specified by the max-age parameter, otherwise users of these subdomains risk being locked out.

Setting an HSTS policy will also protect first time visitors who habitually use search bars or search engines to reach their destination. For example, typing "paypal" into Google's HTTPS search engine will yield a link to https://www.paypal.com, because Google will always link to the HTTPS version of a website if an appropriate HSTS policy exists.

HSTS preloading

HSTS is clearly an important security feature, but there are several circumstances under which its benefits will not work. Because HSTS directives are delivered via an HTTP header (over an HTTPS connection), HSTS can only instruct a browser to only use HTTPS after the browser's first visit to a secure website.

Men-in-the-middle can therefore still carry out attacks against users who have:

  • Never before visited the site.
  • Recently reinstalled their operating system.
  • Recently reinstalled their browser.
  • Switched to a new browser.
  • Switched to a new device (e.g. mobile phone).
  • Deleted their browser's cache.
  • Not visited the site within the past year (or however long the max-age period lasts).

These vulnerabilities can be eliminated by using HSTS Preloading, which ensures that the site's HSTS policy is distributed to supported browsers before the customer's first visit.

Website administrators can use the form at https://hstspreload.appspot.com/ to request for domains to be included in the HSTS Preload list maintained by Google. Each site must have a valid certificate, redirect all HTTP traffic to HTTPS, and serve all subdomains over HTTPS. The HSTS header served from each site must specify a max-age of at least 18 weeks (10,886,400 seconds) and include the preload and includeSubdomains directives.

It can take several months for domains to be reviewed and propagated to the latest stable versions of Firefox, Safari, Internet Explorer, Edge and Chrome. When domains are added to the preload list, all users of these browsers will benefit from the security offered by HSTS, even if they have never visited the sites before.

Conclusions

HSTS is widely supported, but not widely implemented. Nearly all modern browsers obey HSTS policies, including Internet Explorer 11, Microsoft Edge, Firefox, Chrome, Safari and Opera – yet less than 5% of secure websites enable this important security feature.

Secure websites that do not use HSTS are trivial to attack if the attacker can hijack a victim's web traffic, but it is even easier to defeat such attacks by implementing an HSTS policy. This begs the question of why so few websites are using HSTS.

The HSTS specification (RFC 6797) was published in 2012, and so it can hardly be considered a new technology any more. Nonetheless, many website administrators might still be unaware of its existence, or may not yet feel ready to commit to running an HTTPS-only website. These are probably the most significant reasons for its low uptake.

Some website administrators have even disabled HSTS by explicitly setting a max-age of 0 seconds. This has the effect of switching off any previously established HSTS policies, but this backpedalling can only take proper effect if every client revisits the secure site after the max-age has been set to zero. When a site implements an HSTS policy, it is effectively committed to maintaining its HTTPS service for as long as the largest max-age it has ever specified, otherwise it risks denying access to infrequent visitors. Nearly 4% of all HTTPS servers that use the Strict-Transport-Security header currently set a max-age of zero, including Twitter's t.co URL-shortener.

Browser support for HSTS can also introduce some privacy concerns. By initiating requests to several distinct hostnames (some of which enable HSTS), a hostile webpage can establish a "supercookie" to uniquely identify the client browser during subsequent visits, even if the user deletes the browser's conventional cookies. The browser will remember which pattern of hostnames had HSTS enabled, thus allowing the supercookie to persist. However, this privacy concern only affects clients and does not serve as an excuse for websites to avoid implementing their own HSTS policies.

Implementing an HSTS policy is very simple and there are no practical downsides when a site already operates entirely over HTTPS. This makes it even more surprising to see many banks failing to use HSTS, especially on their online banking platforms. This demonstrates poor security practices where it matters the most, as these are likely to be primary targets of pharming attacks.

Netcraft offers a range of services that can be used to detect and defeat large-scale pharming attacks, and security testing services that identify man-in-the-middle vulnerabilities in web application and mobile apps. Contact security-sales@netcraft.com for more information.

eBay scripting flaws being actively exploited by fraudsters

Fraudsters are actively exploiting scripting flaws in eBay's auction platform to carry out a spate of highly convincing scams. The latest attacks steal money and credentials, and are still taking place today, despite a recent partial fix that attempted to stop these flaws being exploited.

Victims stand to lose thousands of pounds in these attacks.

Victims stand to lose thousands of pounds in these clever phishing attacks, which are launched directly from eBay's own website.

eBay had originally declined to fix the vulnerability at all, resulting in widespread criticism from security experts, which perhaps influenced its subsequent decision to implement a partial fix. eBay later said that it took the issue very seriously, and that it did not find any fraudulent activity stemming from this incident.

However, this week, Netcraft has seen several fraudulent eBay listings that actively exploit these flaws. Not only does this demonstrate that the underlying issue has not been adequately fixed, but it shows that it is also being exploited by fraudsters.

Despite the partial fix, fraudsters are still able to include malicious JavaScript in eBay listing descriptions, and these scripts are being used to great effect. Merely viewing a fraudster's auction will cause a user to be automatically diverted away from the genuine eBay website and onto a phishing site.

These latest incidents rank amongst the most impressive phishing attacks, as they are so incredibly convincing. They are launched from the genuine eBay website, which will have already gained the victim's trust, and no untoward user interaction is required. Because the phishing site looks so similar to the genuine eBay website, it is likely that most victims would never realise they have ended up on a fraudulent website, especially as they did not click on any links pointing to external sites.

This week's attacks appeared to be posted from compromised eBay accounts, some of which had been created several years ago. This makes it difficult for victims to identify the listings as fraudulent, as they are ostensibly posted by users who have been members for several years and have 100% positive feedback.

A real attack in detail

Motor vehicles are a magnet for fraudulent activity on eBay due to the high values of such items. Fraudsters will often copy the contents of a previous, legitimate listing and use it to create their own listing at a temptingly low price.

Three months ago, the following motorhome was sold on eBay for £19,295. This was a genuine listing for a genuine vehicle, so some details have been redacted to protect the innocent:

A legitimate eBay auction that ended three months ago. The details of this motorhome auction were reused in one of this week's fraudulent listings.

A legitimate eBay auction that ended three months ago. The details of this motorhome auction were reused in one of this week's fraudulent listings.

This week, a fraudster copied the contents of this auction and used it to create his own fraudulent listing. This would likely be found by anyone searching for similar motorhomes:

The fraudulent listing, as it appeared in eBay's search results.

The fraudulent listing, as it appeared in eBay's search results.

The fraudulent listing was posted from an eBay account created in April 2010. The user has 100% positive feedback accrued from previous, legitimate purchases, which suggests that the account had been compromised by the fraudster. The fraudulent listing has since been removed from eBay, but the legitimate account remains.

The compromised account that was used to post the fraudulent listing had 100% positive feedback.

The compromised account that was used to post the fraudulent listing had 100% positive feedback.

When a victim views the fraudulent listing, he is immediately redirected to the fraudster's phishing site on btnet.info. Other than the domain name, this looks practically identical to the genuine eBay website, and also features the same username and feedback score from the compromised seller's account:

The victim is automatically redirected to this phishing site when he views the fraudulent listing on eBay. This site was reported to Netcraft and blocked.

The victim is automatically redirected to this phishing site when he views the fraudulent listing on eBay. This site was reported to Netcraft and blocked.

The significantly discounted "Buy it now" price of £6,300 would be extremely alluring to a prospective buyer, considering that the real thing sold for nearly £20,000 in a legitimate auction three months ago.

The redirection to the phishing site is carried out automatically as soon as the victim views the fraudulent listing on the eBay website. The item's description is copied from the legitimate listing we saw three months ago, but a malicious block of JavaScript has been added.

The malicious script appended to the description of the motorhome. Some of this has been blurred to prevent copycat attacks until eBay properly fixes the vulnerability.

The malicious script appended to the description of the motorhome. We have blurred the salient parts of this code to prevent copycat attacks until eBay properly fixes the vulnerability.

The malicious script has been specially constructed in order to bypass the cross-site scripting filters that eBay has implemented.

eBay disallows certain strings in the item description when a listing is created, but this week's attacks demonstrate that this security measure is insufficient.

eBay disallows certain strings in the item description when a listing is created, but this week's attacks demonstrate that this security measure is still insufficient.

When the external script is executed by the victim's browser, it redirects the victim to a URL redirection service, TinyURL, which in turn redirects him to the fraudster's phishing site.

The externally hosted JavaScript, which is executed by the fraudulent eBay listing. This site uses a .space domain that was registered on 6 February.

The externally hosted JavaScript, which is executed by the fraudulent eBay listing. This file is served from a .space domain that was registered on 6 February.

After the above JavaScript has redirected the victim to the phishing site, a server-side PHP script named php.php uses a random number generator to create a new PHP script, such as 54388632.php. The victim is then redirected to the newly-created script, which displays the fraudulent content. The randomly-named file is then deleted from the web server. If the victim were to notice that he was on a phishing site, it would be difficult to report it to anyone, as the URL in the victim's address bar would lead to a 404 Not Found error page on any subsequent visit.

The phishing site uses a domain name that was registered through Launchpad.com less than two weeks ago, and there is no content on the site's homepage. This indicates that the domain was probably registered specifically for use in these fraudulent eBay listings. Both this site btnet.info and the malicious JavaScript file on opengames.space are hosted by HostGator.

If the victim attempts to ask the seller a question, he will be taken to an enquiry form that is hosted on the fraudster's phishing site. Any questions asked here are sent directly to the fraudster.

Any questions asked about the item are sent directly to the fraudster.

Any questions asked about the item are sent directly to the fraudster.

If the victim tries to make a Best Offer for the vehicle, he is prompted to enter an email address. This address is later used by the fraudster to solicit payment directly from the victim, often via bank transfer.

After making an offer, the victim can soon expect to hear from the fraudster.

After making an offer, the victim can soon expect to hear from the fraudster.

This particular phishing attack demonstrates some interesting evolutions in the fraudsters' methodologies. Not only is it rather cleverly launched from the legitimate eBay site, and uses randomly-named files that are deleted to evade detection, but it also tries to avoid leaving any evidence in eBay's server logs: While all of the pictures used on the spoof auction page are stolen from the earlier legitimate auction, they are either encoded as inline Base64-encoded images, or are served from the fraudster's own website. This means that no Referer headers will be transmitted to eBay's web servers, which would otherwise give away the location of the phishing site.

This phishing attack is unusual in that it does not attempt to steal the victim's eBay password or any other account credentials. This subtlety could contribute to its effectiveness, as some victims might more readily identify a scam that does ask for a password.

The victim's offer and email address is all the fraudster needs in order to solicit payment. To instil further trust in the victim, these payment requests usually claim to use a third-party escrow service to accept the money. A genuine escrow service would release the money to the seller only if the customer receives the goods they paid for, but unsurprisingly, these eBay vehicle scams do not use a real escrow service. When the victim transfers his money to the specified account, it goes straight to the fraudster.

A fake escrow email from a fraudulent car seller. This one purportedly related to the sale of a Volkswagen T5 Transporter.

A fake escrow email from a fraudulent car seller. This one purportedly related to the sale of a Volkswagen T5 Transporter.

To discourage the victim from visiting their bank, who might warn him that it is a scam, the email adds: "You can pay using your online baking [sic], because it saves a considerable amount of time. Online Banking saves you the trouble of going to a bank and wasting your valuable time (payments can also be made on the weekends)."

Old habits die hard

Netcraft highlighted the risks posed by allowing JavaScript in eBay listings almost two years ago, when a series of similar attacks took place. eBay's only apparent protection against these attacks was a policy that we demonstrated can be easily ignored by fraudsters.

As eBay's latest fix is only a "partial" one, it suggests that eBay still might not have any intention of completely fixing these vulnerabilities. eBay previously explained that allowing active content in legitimate listings is worth the security risk, as the benefits outweigh the likelihood of being attacked.

A plea for help: This fraud victim claims to have been scammed on eBay after sending a bank transfer to pay for a caravan.

A plea for help: This fraud victim claims to have been scammed on eBay this week after sending a bank transfer to pay for a caravan.

These attacks have continued throughout the week. The following example was found earlier today – victims were redirected to this phishing site after viewing yet another specially crafted listing on the real eBay website.

CAPTION

Another eBay phishing site, which victims are automatically redirected to after viewing a specially crafted listing on the real eBay website.

It is likely that both examples have been orchestrated by the same fraudster, as both domain names were registered through the same company two weeks ago. However, today's example also attempts to steal the victim's eBay username and password when the victim clicks the Buy it now button.

The latest example also tries to steal the victim's eBay username and password.

The latest example also tries to steal the victim's eBay username and password.

The fraudster can use these stolen credentials to create additional fraudulent listings on his victims' own eBay accounts, which in turn can be used to steal more accounts and more money. This is a cycle of fraud that will be difficult to stop if eBay does not fully resolve this vulnerability.

AlphaBay darknet phishing attack impersonates .onion domain

Fraudsters operating on the AlphaBay darknet market are using phishing attacks to steal login credentials from other criminals. In this particular attack, the phishing site mimics the address of one of AlphaBay's Tor hidden services.

Dark Wars: A phishing site impersonating the AlphaBay Market

Dark Wars: A phishing site impersonating the AlphaBay Market

AlphaBay describes itself as a darknet market that specialises in all kinds of illegal goods, and so its users are reminded to access the site directly through the Tor anonymity network, rather than via a WWW to .onion gateway. However, this is not the only thing that users need to worry about: some of the criminals on AlphaBay also try to steal other users' credentials by sending messages to trick them into visiting phishing sites.

AlphaBay was originally founded by members of Russian carding forums, but the range of illegal goods being sold on the anonymous marketplace now includes drugs and weapons as well as credit card details. AlphaBay uses a .onion address which allows the website to run as a hidden service on the Tor network – this means that the physical location of the website remains anonymous, as well as the locations of Tor users who access it.

The genuine AlphaBay hidden service uses the address pwoah7foa6au2pul.onion. A hidden service's address is derived from the public key used to authenticate the connection, so it is difficult to convincingly impersonate the site without having access to the owner's key pair. However, the fraudster could easily have computed a partial match using tools such as scallion; for example, Netcraft generated the lookalike address pwoah7f5ivq74fmp.onion within minutes.

However, in the case of this phishing attack, the fraudster has simply created a lookalike domain on the public internet, using the address pwoah7foa6au2pul.me.pn.

The genuine AlphaBay Market login form, accessed via its .onion address on a Tor-enabled browser.

The genuine AlphaBay Market login form, accessed via its .onion address using the Tor Browser Bundle.

The address used by the phishing site will look familiar to regular users of the AlphaBay darknet market, but rather than pointing to an anonymous hidden service, it points to a phishing site hosted by AttractSoft GmbH in Germany.

The phishing site used in this attack was discovered on Thursday and is still operating at the time of writing. It mimics the genuine AlphaBay Market login page, and prompts the victim to enter his username and password. A client-side check forces the victim to also complete the security code CAPTCHA field, although the phishing site does not care whether the correct value was entered.

The stolen credentials are then submitted to a PHP script, which immediately redirects the victim to the genuine AlphaBay hidden service.

This phishing attack makes use of a me.pn domain, which was likely chosen because addresses under this domain can be registered for free, and the ".me.pn" string bears a (somewhat tenuous) similarity to the .onion TLD, at least in terms of its length.

Ironically, some of the services that can be bought and sold on the AlphaBay Market include spam sending services, "bank drops" (for receiving fraudulent bank transfers), account details, and other services useful to fraudsters engaged in phishing. This attack could therefore be viewed as yet another example of fraudsters defrauding fraudsters.

In a further show of there being no honour amongst thieves, the HTML source of the phishing site appears to have been copied from a previous lookalike site using the onion-market.co domain name. This domain name has since been repossessed by its registrar, GoDaddy, which is typical of domains that have been paid for with fraudulent funds or subjected to chargebacks.

The content of the phishing site was mirrored from another site that has since been suspended.

The content of the phishing site was mirrored from another site that has since been suspended.

AlphaBay has been operating since the end of 2014, when it helped fill the void left after the demise of Silk Road and Silk Road 2.0. It has since become one of the largest darknet markets, gaining wide publicity after it was used to sell compromised Uber accounts and data stolen from the TalkTalk breach in 2015.

Brazil Gov website serving up phish and malware… again

A Brazilian government website has been compromised for the third time in less than two months. Each compromise resulted in the site hosting fraudulent content that was used in phishing attacks. One of these attacks also attempted to install drive-by malware on victims' computers.

The first compromise took place in December, when the Prefeitura Municipal de Esperança website was used to host a phishing attack against Wells Fargo bank. The fraudulent content used in this first attack was subsequently removed, but the site was compromised again last week and used to host two more phishing attacks.

The first phishing attack hosted on prefeituradeesperanca.pb.gov.br, which targeted Wells Fargo customers in December 2015.

The second phishing attack, which kicked off last week, was aimed at PayPal customers. This was arguably the most dangerous attack: As well as stealing victims' PayPal credentials and bank details, the phishing kit used in this attack also attempted to inject drive-by malware via hidden iframes.

Fraudsters often use ready-made phishing kits when deploying phishing sites, as it generally makes the process quick and easy. Kits typically consist of a collection of lookalike web pages, scripts and images which simply have to be uploaded to the compromised web server to create a ready-to-go phishing site. In most cases, all the fraudster has to do is edit a simple configuration file to tell the phishing site which email address to send the stolen credentials to.

The PayPal phishing site, which also tried to deliver malware to its victims.

The PayPal phishing site, which also tried to deliver malware to its victims.

The third attack – which is currently still live – uses a phishing kit that is designed to steal webmail credentials. Many slight variations of this kit exist, but all display an error message regardless of the validity of the submitted credentials.

The latest attack attempts to steal webmail credentials.

The latest attack attempts to steal webmail credentials.

Unbeknownst to the victim, the stolen credentials are emailed to the fraudster who deployed the kit; but these webmail phishing kits also contain an additional surprise. The fraudster may not realise that the kit also sends a copy of these stolen credentials to another email address, which presumably belongs to the original author of the kit. This address has been sneakily embedded into the kit in such a way that its presence it unlikely to be spotted by the deploying fraudster.

Webmail credentials are a popular target for phishers, as they can be used to compromised further accounts held by each victim. For example, if the victim's email address has been used to sign up for other services, the attacker might be able to use password resets to gain unauthorised access to those services.

Repeatedly compromised

The .gov.br second-level domain used by the compromised website is reserved for government entities within Brazil, yet the content of the site is physically hosted by HostGator in Texas. It is not unusual for South American governments to host websites in external countries such as the U.S., especially when the sites do not store or process any sensitive data. The most obvious motivation in this case is that hosting costs in the U.S. are typically lower than those in Brazil.

The fact that the website has been repeatedly compromised suggests there is still a vulnerability that allows remote attackers to upload arbitrary content onto the web server. One possible route of compromise could be the "unsafe" version of WordPress being used on www.prefeituradeesperanca.pb.gov.br. The Prefeitura Municipal de Esperança website uses WordPress 4.0.9 as its content management system, and although this version was released only a week ago (to address a cross-site scripting vulnerability), only the latest release in the 4.4.x series is officially actively maintained. The WordPress website explicitly points out that anything older than the current latest release (4.4.1) is not safe to use.

Another potential risk could be the site's reliance on a shared hosting platform: More than 70 other websites are served from the same IP address as that used by www.prefeituradeesperanca.pb.gov.br. Vulnerabilities exposed by any of these non-government sites could potentially be used to attack the government site. Also, in general, any web server that has previously been compromised could have had a backdoor installed by the attacker, making it trivial to gain unauthorised access at a later time.

The PayPal phishing kit

PayPal is one of the most common phishing targets, with many distinct phishing kits making it easy for even novices to carry out these types of attack. Last month alone, Netcraft blocked more than 60,000 phishing URLs that were designed to steal PayPal credentials.

The PayPal phishing kit used in last week's attack featured a few tricks that made it stand out from a typical kit. Although it exhibits a few tell-tale spelling mistakes, the designer of the phishing kit has been very careful in other respects. For example, the initial login page actually consists of a large background image, with two input fields and a submit button overlaid. This means the textual content of the page does not need to be written in the HTML document, which could in turn reduce the likelihood of the attack being spotted and blocked by certain internet security software.

However, this trick does not work too well in all browsers – if you look closely, you can see that the text fields do not quite line up with the placeholders in the background image:

Misaligned login form, with "Payement" spelling mistake.

Misaligned login form, with "Payement" spelling mistake.

The fact that the spelling mistakes are contained within images, rather than within an easily editable HTML document, could explain why subsequent users of this phishing kit have not corrected them.

Spelling mistakes aside, the developer has also implemented validation checks to prevent the login form being submitted with an invalid email address:

email-validation

After stealing the victim's PayPal credentials, the phishing site takes the user through a three-stage "update" process. The first stage collates the victim's full address and date of birth, while the second gathers his payment card details, and the final stage steals his bank account numbers.

Each stage of the phishing attack validates the information entered by the victim.

Each stage of the phishing attack validates the information entered by the victim.

Each page validates the victim's input, and like the spoof login page, they also use background images in an attempt to evade detection.

But the nastiest feature is that each page in the phishing kit contains a set of hidden iframes that attempt to silently install malware on the victim's computer. This is a relatively unusual feature for a phishing kit, and was possibly included to the benefit of the phishing kit's author, rather than to the subordinate fraudsters who deploy it.

The PayPal attack also attempted to inject drive-by malware via iframes. This component of the attack did not work, as the domain used for the malware delivery has been sinkholed.

The PayPal attack also attempted to inject drive-by malware via iframes.

However, the malware component of the attack does not work, as the domain used for the malware delivery has been sinkholed. If it had not already been sinkholed and was still serving drive-by malware, any victim visiting the phishing site could have had his computer compromised as soon as the login page was viewed. If the victim was cautious enough to not submit the login form, the malware might still have allowed the attacker to steal the victim's credentials in other ways, or allow for other monetization opportunities, such as making the victim's computer part of a botnet.

After the victim has submitted his bank account details, the PayPal phishing site indicates that the account has been successfully updated, and redirects the victim to the genuine PayPal login page. Being prompted to enter a username and password a second time could ring alarm bells, as the victim has, ostensibly, already logged in. The phishing site explains away this concern by saying the user must re-login to save the changes.

paypal-relogin

All three of these phishing attacks were added to Netcraft's Phishing Site Feed. This feed is used by all major web browsers and many leading anti-virus and content-filtering companies, so most users are already protected against the latest webmail phishing attack. The fraudulent content used in the first two attacks has been removed from the Prefeitura Municipal de Esperança website.

US military still SHAckled to outdated DoD PKI infrastructure

Despite widespread concerns over the security of the SHA-1 hash algorithm, the US Department of Defense is still issuing SHA-1 signed certificates, and using them to secure connections to .mil websites.

The US DoD issued a SHA-1 signed certificate to necportal.riley.army.mil on 4 January 2016

The US DoD issued a SHA-1 signed certificate to necportal.riley.army.mil on 4 January 2016

Since 1 January 2016, the CA/Browser Forum's Baseline Requirements [pdf] have banned the issuance of new SHA-1 certificates. Publicly-trusted certificate authorities are expected to comply with these Baseline Requirements in order to remain trusted by browsers and operating systems.

However, the US DoD is not a publicly-trusted certificate authority per se, and therefore it does not have to abide by the CA/Browser Forum's rules. With the exception of Apple platforms, most browser software does not include the DoD's root certificates by default. This means any secure site that uses a certificate issued by the DoD is unlikely to be trusted by a browser running on Windows or Linux, unless the user has explicitly installed the DoD's root certificates.

Even though the DoD does not have to abide by the CA/Browser Forum's rules, it is arguably a bad idea not to: The SHA-1 algorithm is now thought to be sufficiently weak that a well-funded attacker might be able to find a SHA-1 hash collision and hence impersonate any HTTPS website. It is also particularly surprising to see the DoD still using SHA-1 today when the US National Institute of Standards and Technology banned its use more than two years ago. Since NIST made this decision, the cost projections of finding a SHA-1 hash collision have reduced significantly.

On 4 January 2016, the DoD issued a SHA-1 certificate to necportal.riley.army.mil [site report], which is a SharePoint portal hosted by the United States Army Information Systems Command. It can be accessed remotely by Common Access Card (CAC) holders. The certificate is marked as being valid until 8 September 2017.

The DoD is America's largest government agency, and is tasked with protecting the security of its country, which makes its continued reliance on SHA-1 particularly remarkable. Besides the well known security implications, this reliance could already prove problematic amongst the DoD's millions of employees. For instance, Mozilla Firefox 43 began rejecting all new SHA-1 certificates issued since 1 January 2016. When it encountered one of these certificates, the browser displayed an Untrusted Connection error, although this could be overridden. If DoD employees become accustomed to ignoring such errors, it could become much easier to carry out man-in-the-middle attacks against them.

However, the latest version of Firefox no longer rejects SHA-1 certificates issued after 1 January 2016. This change was made to cater for users of certain man-in-the-middle products, which generate freshly issued certificates on the fly. Consequently, users of Firefox 43.0.4 who have installed the appropriate DoD root certificates will currently not receive any errors, or even warnings, when browsing to the site:

firefox-necportal

Google intends to block all SHA-1 certificates issued from 1 January 2016 with the release of Chrome 48. In the meantime, Chrome 47 affirmatively distrusts the SHA-1 certificate used by necportal.riley.army.mil because it does not expire until 2017.

Chrome regards the certificate as affirmatively insecure, even when the appropriate DoD root certificates are installed.

Chrome regards the certificate as affirmatively insecure, even when the appropriate DoD root certificates are installed.

Firefox will ultimately distrust all SHA-1 certificates by 2017, regardless of when they were issued, but Mozilla considered advancing this deadline to as early as 1 July 2016 when the new cost projections were realised.

More than 650,000 SSL certificates in use on the web are still using SHA-1, but this count has been rapidly falling since 2014. Nearly all of these certificates are due to expire by the end of 2016, in accordance with the Baseline Requirements; however, with most browser vendors contemplating an accelerated deprecation timeline, it is likely that many of these certificates will be replaced before the middle of the year.

With the US DoD PKI infrastructure seemingly still reliant on SHA-1, by the end of 2017, the DoD could account for a significant proportion of all SHA-1 certificates that are intended to be used by modern browsers.

BBC websites back to normal, DDoS mitigation reverted

The BBC's websites are now back to normal, four days after being taken down by an effective DDoS attack on New Year's Eve.

The BBC mitigated the attack within a few hours by moving its main website onto the Akamai content delivery network, which restored access to its millions of users. However, during this mitigation period, some of the BBC's other websites – which were still hosted at the BBC – remained mostly unreachable.

The BBC's DDoS mitigation was only temporary, and last night it moved its main website off Akamai, back onto a netblock owned by the BBC. This move resulted in another short outage on 4th January, followed by several hours of slightly slower response times within the UK. By the 5th January, the response times had settled down to be almost comparable with when it was using Akamai.

The main BBC website experienced another short outage last night as it moved off the Akamai CDN.

The main BBC website experienced another short outage last night as it moved off the Akamai CDN.

However, as expected, response times from other countries are no longer as fast as they were when the BBC's main website was hosted on the Akamai CDN. Response times from the US are notably slower, but currently no worse than they were before the DDoS attacks on New Year's Eve.

Response times from the US are now much slower again (although international visitors would typically visit bbc.com rather than bbc.co.uk).

Response times from the US are now much slower again (although international visitors would typically visit bbc.com rather than bbc.co.uk).

During the period in which the BBC's main website was hosted on the Akamai CDN, its legacy News website at news.bbc.co.uk remained hosted at the BBC. This was mostly unavailable during this period, with most client connection attempts being reset.

news.bbc.co.uk is now functioning normally, too.

news.bbc.co.uk is now functioning normally, too.

This site's availability was restored to normal at the same time that the main BBC website moved off Akamai. This suggests that the connection resets were a deliberate attempt to mitigate basic DDoS attacks, rather than as a direct side effect of a sustained DDoS attack. However, this approach was not ideal – while some browsers (such as Chrome) would automatically retry the connection attempt (often successfully), other browsers would give up at the first failure.