Next Gen Phishing Improves on Simple Spam

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

Who hires these experts?

[3.5+stripes]

Their qualifications for describing new types of attacks (which are actually age old) seem pretty phishy. Hell, they could have called it a server side trojan. I can do a better job than them, and I'm some guy wasting my time browsing slashdot..

Interesting theory but....

[Ash+Vince]

The first thing to take into account is that this article seemed to be written by a "security expert" who skimped on a few key details.

The first is that no web site should ever be able to execute code on your PC without your express permission. If it can then the browser being used to access that site needs fixing.

Now there will still be cases where the user has to give permission to execute code locally in order for the site to work properly but these should be very very rare. Most code that is executed such as ActiveX or Javascript should be excuted in a sandbox environment where no access is given to local PC resources. If a local resource is needed it should be asked for specifically and the accepted or denied permission by the user.

What does need to happen is that users need to be educated into a state of mind where they deny everything and then only go back the accept permission to access a local resource if something doesnt work properly and it make sense for the web site to be accessing the resource in question. For instance, if a web site wants access to my /etc/passwd or /etc/shadow file under linux (poor examples as they are locked while linux is running) I would deny it.

These problems all seem to stem from most PC users being lazy and not wanting to know these things. What they want is to have everything complicated hidden from them and everything to "just work". This might be possible with a pencil or other simple device but with things as complicated as PC's or Motor Vehicles it will not. Ever.

I really think that for people to expect to use a machine as complicated as a PC, they must understand the basics of how to operate it safely. This is no different to expecting drivers to undertake a test of competance. Without a driving licence I am not able to drive on the road although I can drive round my own back yard to my hearts content. Using a computer should ideally be the same where users are forced to undertake a basic competancy exam before they can allow their computer to interact with the web.

Until this happens you will always have users who allow their PC to be hijacked by malicious software and then carry on using it without calling for help. This is no different to forcing drivers not to drive with faulty breaks or severely worn tires.

Now how you would enforce this is a little complicated but it must still be possible with legislation. This is no different to a car salesman wanting to see a driving licence and proof of insurance before I buy a car. He wouldn't do that by choice (He would probably much rather make a sale regardless) but can be forced to by law.

What the article lacked...an example

[jnaujok]

For everyone screaming "If you hack the server..."

I've already seen this "next generation phishing" method used. I was on e-bay looking for a piece of autographed memorabilia. I noticed one auction and clicked on it. The E-Bay login screen popped up. I was about half-way through typing my password when it suddenly occured to me, "Wait a second, why do I have to enter my account to view an auction."

Careful review showed me that opening the auction had triggered some embedded javascript that opened a frame within the e-bay window that covered the whole base page, but presented a spoof of the e-bay login screen. The title bar still read as a legitimate e-bay address, the screen was a perfect dupe of the e-bay login screen. In short, it looked totally legitimate.

Now, they didn't have to hack e-bay's servers, nor did they have direct access to anything on e-bay's site. All they had to do was embed some javascript into an otherwise "secure" site.

I think that's what this article is talking about.

Oh, and I was running firefox with a javascript blocker, but since I've allowed scripts on e-bay (you can't even view most of the auctions without it) it happily ran the phishing script without even a warning.

protection

[Machtyn]

If you don't already know, use a credit card company that allows you to set up a virtual credit card number. The idea is that it is a number that is used only once. Therefore, if that number gets stolen, it is still useless, you've already used it once. (I could be wrong, but this is the general idea, a use once or low credit amount or an expiration date that ends in a month type of credit card number.)

Re:Inaccurate Term?

[zero1101]

You missed the point of TFA. The point is that attackers are using compromised web hosts as a delivery device for the standard malware, not that they are stealing user information for any particular site. The bad guys are counting on the fact that you, as an internet-savvy web surfer, "know" that files coming from www.trustedsite.com are safe.

This is ancient news

[miller60]

Phishing crews have been targeting web site vulnerabilities to deploy spoof sites for several years. In its year-end 2005 Phishing by the Numbers report, Netcraft noted that more than 600 phishing spoof sites were hosted on compromised forums and content management systems in 2005. In January hackers increased their targeting of PHP-based CMS and blogging apps, and were able to distribute the Windows WMF malware through a customer support forum on AMD's web site. There's nothing cutting edge at all about this.

Re:Isn't that XSS??

[egypt_jimbob]

would you happen to know of any other types of attack that XSS might enable?

Howabout the myspace worm?

Cross site scripting is really great for simple session hijacking. Php stores a cookie called PHPSESSID by default with your unique session identifier. All of the important bits of your session (username, password, whatever else they're storing) are stored on the server. If someone can guess (very difficult) or steal (with xss very easy) that identifier, they can impersonate you and have access to whatever information that entails on the vulnerable website. If it's phpBB, they can elevate privileges to become a moderator/admin. If it's Amazon they can see your credit card number. So yes, it's great for phishers.

Also, an interesting note about xss: it's a shotgun approach. When an attacker exploits an xss vulnerability, they will steal the cookies of everybody who views that page, not just you.