You are currently browsing the category archive for the 'Vulnerabilities' category.
iPhone – Phishing Vulnerabilities
I am not going to rush to the store to get the iPhone. My Nokia E62 is not even close to have the same coolness factor, but at least it does email pretty well . . . except of course, if a message has a link, the Nokia browser will not kick in if I click on the embedded link. I used to get annoyed, but consider the same functionality on the iPhone.
John Leyden writes for TheRegister.com on the shortcomings of the iPhone in terms of vulnerabilities in phishing attacks:
• The iPhone’s email client only displays the first few characters of a weblink, which makes it easier to hide a fraudulent URL at the end of a link without arousing suspicion.
• The mechanism the iPhone uses to link between web browser and telephone functions also makes it easier to embed scam telephone numbers within sites, which a user may be prompted to dial.
Other researchers found a number of additional vulnerabilities which could uncover passwords hiding in Apple software.
“In early June, the RSA Anti Fraud Command Center (AFCC) discovered a new type of phishing kit. The kit is actually a single file which creates an entire phishing site on a compromised server when “double-clicked” on, similar to “.exe” installation files. The kit was discovered through phishing forensics work by the AFCC forensics lab.
The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site. Within seconds after running the file, a complete phishing site is “live”. During testing of the kit in the RSA phishing lab, a phishing site was installed within approximately two seconds.”
For further information: RSA June 2007 Report.
“Google has removed paid links that advertised seemingly legitimate Web sites but actually tried to install nefarious programs on PCs.
The links were displayed as “sponsored links” after visitors entered specific queries into Google’s search service. Clicking the links would ultimately go to a legitimate site, but by way of another site that attempted a “drive-by installation” of password-stealing software. Miscreants placed the links using Google’s AdWords service for advertisers.”
Phishers stated to use an new technique – routing a person’s incoming phone calls to a number controlled by the attackers (full article here).
“Victims are told to confirm their phone number with their bank by dialing *72 followed by a series of numbers. In the US, the sequence will cause most phones to forward all incoming calls. Once completed, the victim hears a message saying the confirmation has been successful.
The call-forwarding ruse is included in a more traditional phishing email that attempts to dupe victims into divulging credit card information and personal identification details. Successful phishing attempts allow the attackers to use the victim’s credit card, then provide the victim’s identification credentials in the event a banking representative calls to confirm the transaction.”
ABN Amro was just hit with a phishing attack similar to the one at Citibank in July of 2006. The Register (full article here) reports:
“Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.
As soon as the hackers received these details they were able to log into a customer’s account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer’s money.
Security experts have warned that such “man in the middle” attacks cannot be prevented by security tokens.”
Barclays bank seems to think that if chip-and-pin good enough for retail business, it’s good enough for online business. They are sending Pinsentry machines to 500,000 customers – machines that look like calculators and read chip-and-pin cards – generating one-time-passwords (OTPs). (Full article here)
So, here is the current multi-layered approach at Barclays:
• Debit Card (2nd factor)
• PIN number (1st factor)
• Pinsentry device (second 2nd factor)
• 8-digit one time password generated by the machine
Is this really a good design? The logistical support for this kind of system must be insane. How much does it cost to manage this operation? How long will the batteries last in those readers? Can I have one for my home and one for my office?
Besides, haven’t those guys heard of the Citibank phishing attack on their 2nd factor. Just look at this article in the Washington Post Blog.
Last year Bruce Schneier commented on Shell suspending Chip & Pin payments at their gas stations after losing £1m when fraudsters inserted little devices into the readers, which copied the cards’ magnetic strips and recorded customers’ pin numbers. Also, another article on hacking chip & pin here.
So, Chip & Pin is not safe, and hardware OTP systems are also vulnerable and costly. Why keep implementing these? Marketing perhaps? I am sure lots of people will feel better by having a bigger authentication device in their hands . . . size matters 
. Isn’t that the same argument that the MIT/Harvard study said about BofA implementation – “Sometimes the appearance of security is more important than security itself.”
The players of Word of Warcraft now have to fear a different kind of threats – still in the virtual world, yet one that has real-word consequences. Hackers are exploiting the cursor flaw (how Windows handles animated cursors) in order to gain login credentials for WoW player accounts. “Malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group.”
In terms of real cash value of these hijacked accounts: “Research … suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data. One card can be sold for up to $6 (£3), but a WoW account will be worth at least $10. An account that has several high level characters associated with it could be worth far more as the gold and rare items can be sold for real cash.
Here is a different type of phishing scams – getting people to go to a website where “an attacker sends e-mails to managers seeking job applicants, asking them in a cover letter to visit a website to view a resume provided via a link. If a manager clicks on the link, the website then tries to execute a backdoor Trojan to compromise the machine”. The full article can be accessed here.
A little girl managed to enter the House of Commons at the British Parliament and attach a keylogging device on a Member of Parliament’s computer. It took only 15 seconds to do this and no one noticed. In a world where everyone is focused on screening for guns and explosives, a little, $100 device could have created a security breach of astronomical proportions. Read the full article here.
Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions, Israeli vulnerability researcher Aviv Raff warned in a posting on his blog Wednesday. Microsoft said it is investigating his findings. (full article).
“In his blog, Raff said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display [the] fake content of a trusted site, such as a bank, Paypal or MySpace URL. When the victim opens the link sent by the attacker, a “Navigation Canceled” page will be displayed and the victim will think there was a site error and try to refresh the page.
“Once he will click on the ‘Refresh the page’ link, the attacker’s provided content will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL,” Raff added in his blog.”
