OpenSSL Vulnerable to Forged Signatures

Security researchers have demonstrated a way to forge digital signatures that can fool the OpenSSL software used in many secure web servers and virtual private networks (VPN). The OpenSSL Project has issued patches to address the weakness, and is urging users to upgrade or install the patches.

The signature forgery technique was first demonstrated by Daniel Bleichenbacher, a cryptographer at Bell Labs, at the CRYPTO 2006 conference last month. While the forgery only works on specific keys (known as PKCS #1 v1.), these keys are used by some certificate authorities in SSL server certificates.

Continue reading

Who can block the largest number of phishing sites in September?

By the 1st September, Netcraft has received, reviewed and blocked more than 150,000 unique URLs reported to us as phishing sites.

In recent reviews Ziff-Davis comments "In testing on live phishing sites, IE 7 RC1 failed to identify as many phishing sites as Netcraft's free IE toolbar. " while the Washington Post remarked "I've visited countless phishing sites in the past few months, and Netcraft's toolbar has done its job almost unfailingly."

To show our appreciation, Netcraft will send a top of the range iPod [or item of equivalent value for anyone who has already received a "Thanks for all the Phish" commemorative iPod from Netcraft] to the five people who have the largest number of phishing reports accepted during September.

To track the progress, we have created a leaderboard displaying the people with the largest number of accepted reports so far in September, identified by their first names to preserve their anonymity.

The Netcraft Toolbar, which is available for both Internet Explorer and Firefox, serves as a giant neighborhood watch scheme for the Internet: members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Continue reading

PayPal XSS Exploit available for two years?

The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.


Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.

Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.

PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.


Netcraft offers a Web Application Security Testing service, which can discover a number of security flaws, including cross-site scripting vulnerabilities like these.

Fraudsters Attack Two-Factor Authentication

An ongoing phishing attack against Citibank is using man-in-the-middle tactics against two-factor authentication to gain access to online banking accounts.

The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.

However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.


Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.

The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.

Netcraft offers a comprehensive range of phishing protection services, including Phishing, Identity Theft and Bank Fraud Detection, and a Phishing Site Feed, which offers realtime protection against new phishing attacks as soon as they are reported. Netcraft's Phishing Site Countermeasures service can be used to 'take down' fraudulent sites that are actively engaged in phishing attacks.

SQL Injection Weaknesses Found in Mambo, Joomla

Potentially serious security flaws have been found in existing versions of the Mambo and Joomla content management systems, and developers of the two projects are advising users to install upgrades or security patches as soon as possible. Both programs are vulnerable to SQL injection attacks, which allow remote attackers to execute commands on the web server in by typing SQL code into form fields. Joomla is a fork of Mambo, with both programs derived from the same code base.

Mambo and Joomla are open source projects which use the PHP scripting language and MySQL database. These applications are popular with web site owners because they are powerful, user-friendly, and can be installed by users with little or no PHP coding experience. They are also frequently targeted by Internet criminals seeking to crack web servers for use in botnets, phishing scams and distributed denial of service (DDoS) attacks. The Internet Storm Center said it is receiving reports that older versions of Mambo are being actively targeted and exploited using unpatched vulnerabilities.

Continue reading

PayPal Security Flaw allows Identity Theft

A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).

The genuine PayPal SSL certificate used by the scam

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site – and why would he expect PayPal to redirect him to a fraudulent web site?

Fraudsters manipulating content on genuine PayPal site

If the victim logs in via the fake login page, their PayPal username and password is transmitted to the fraudsters and they are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN.

The server currently running the scam is hosted in Korea and is accessed via a hex-encoded IP address. The Netcraft Toolbar already protects PayPal users by blocking access to this site.

UPDATE: Paypal has now addressed this vulnerability. A company spokesman said Paypal is working with the Internet service provider that hosts the malicious site to get it shut down, and does not yet know how many people may have fallen victim to the scam.

Netcraft's Web Application Security Testing service can identify similar cross-site scripting flaws on your organization's web servers. Please contact us for further information.