Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.
UPDATE: HostGator says its servers were attacked through a previously unknown security hole in cPanel. See our update for the latest details.
HostGator general manager Jason Muni told Security Fix that attackers had "reconfigured an unknown number of Web sites hosted on the company's servers to redirect visitors to a third-party Web site that tried to load the IE exploit." Muni said the company reconfigured all of its 200 servers to address the problem. But as of 5:30 pm EST Friday, some HostGator customers were continuing to report that their sites were compromised and redirecting visitors, indicating the problems were ongoing.
Who should bear the cost of phishing losses: the bank or the customer? That question is at the heart of a recent dispute between the Bank of Ireland and a group of customers that fell victim to a phishing scam that drained 160,000 Euros ($202,000) from their accounts. The bank initially refused to cover the losses, but has since changed its mind and credited the accounts of nine victims, who had threatened to sue to recover their funds.
The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to profilerate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases.
The issue of responsibility has been most prominent in the UK. In late 2004, the UK trade association for banks, known as APACs, began warning that financial institutions may stop covering losses from customers who have ignored safety warnings. That stance is reflected in the group's statement on customer protection.
Security researchers have demonstrated a way to forge digital signatures that can fool the OpenSSL software used in many secure web servers and virtual private networks (VPN). The OpenSSL Project has issued patches to address the weakness, and is urging users to upgrade or install the patches.
The signature forgery technique was first demonstrated by Daniel Bleichenbacher, a cryptographer at Bell Labs, at the CRYPTO 2006 conference last month. While the forgery only works on specific keys (known as PKCS #1 v1.), these keys are used by some certificate authorities in SSL server certificates.
By the 1st September, Netcraft has received, reviewed and blocked more than 150,000 unique URLs reported to us as phishing sites.
In recent reviews Ziff-Davis comments
"In testing on live phishing sites, IE 7 RC1 failed to identify as many
phishing sites as Netcraft's free IE toolbar. "
while the Washington Post remarked
"I've visited countless phishing sites in the past few months, and
Netcraft's toolbar has done its job almost unfailingly."
To show our appreciation, Netcraft will send a top of the range iPod [or item of equivalent value for anyone who has already received a "Thanks for all the Phish" commemorative iPod from Netcraft] to the five people who have the largest number of phishing reports accepted during September.
To track the progress, we have created a leaderboard displaying the people with the largest number of accepted reports so far in September, identified by their first names to preserve their anonymity.
The Netcraft Toolbar, which is available for both Internet Explorer and Firefox, serves as a giant neighborhood watch scheme for the Internet: members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.
The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.
Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.
Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.
PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.
Netcraft offers a Web Application Security Testing service, which can discover a number of security flaws, including cross-site scripting vulnerabilities like these.
An ongoing phishing attack against Citibank is using man-in-the-middle tactics against two-factor authentication to gain access to online banking accounts.
The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.
However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.
Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.
The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.
Netcraft offers a comprehensive range of phishing protection services, including Phishing, Identity Theft and Bank Fraud Detection, and a Phishing Site Feed, which offers realtime protection against new phishing attacks as soon as they are reported. Netcraft's Phishing Site Countermeasures service can be used to 'take down' fraudulent sites that are actively engaged in phishing attacks.