Phishing For Bank Info Without Any Pesky Malware

← Back to Stories (view on slashdot.org)

Phishing For Bank Info Without Any Pesky Malware

Posted by timothy on Thursday January 15, 2009 @05:06PM from the but-the-convenience-is-incredible dept.

Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."

51 of 232 comments (clear)

Min score:

Reason:

Sort:

The Best Defense is Offense by alain94040 · 2009-01-15 17:06 · Score: 3, Insightful

This is real scary. And it goes to prove that bad guys always come up with new ways to steal. I don't believe there is a technical solution to this arms race.
Instead, I'd love to see our law enforcement friends be more pro-active and setup traps. Pose as a fake victim. Go out and seek those phishing sites. When the thieves come after your money thinking they just ripped off a stupid Internet newbie, then you can trace their activity and catch them.
That's the best way I can think of scaring the bad guys: when they never know if their next victim might be a cop.
--
FairSoftware.net -- work where geeks are their own boss
1. Re:The Best Defense is Offense by Anonymous Coward · 2009-01-15 17:10 · Score: 2, Informative
  
  I've heard of something like this before.
  Though there's this magical thing called noscript.
  If people would stop putting law before them to prevent them from making stupid choices then we might have a more informed society.
  (I ironically didn't read TFA.)
2. Re:The Best Defense is Offense by Anonymous Coward · 2009-01-15 18:05 · Score: 2, Funny
  
  Of course we would then have to send someone to Elbonia to disappear the disappearers.
  In fact we could lay traps for them by disappearing people in a country where that is illegal and then see who comes after them.
3. Re:The Best Defense is Offense by eln · 2009-01-15 18:10 · Score: 4, Insightful
  
  Some of us like to believe that the Constitution, as well as all other laws and treaties the government operates under, restricts the government's actions everywhere that it operates, not just on American soil, and that it also precludes the government from encouraging other nations to do what it itself is prohibited from doing. I don't see how we can call ourselves a just nation if we simply outsource acts that we would find deplorable if our own government were carrying them out.
  I don't deny that our government has had something of a bad history of clandestinely encouraging foreign powers to "disappear" people we find troublesome, but that doesn't make it right or legal, and it certainly doesn't mean we should encourage it to happen more often.
4. Re:The Best Defense is Offense by blueg3 · 2009-01-15 18:37 · Score: 3, Insightful
  
  Well, the nature of an arms race is such that it has technological approaches.
  In this case, for example, there most certainly is a technological approach. JavaScript in one loaded tab in your browser should have no shared knowledge with other tabs in your browser. Data separation needs to be enforced at a finer level. You should also know, if you have two tabs open to different sites, which one of the two a popup is associated with.
5. Re:The Best Defense is Offense by retech · 2009-01-15 19:14 · Score: 2, Interesting
  There's a simple technical solution to this:
  
  trace the phishing to their location
  send a missile to that location
  problem solved
6. Re:The Best Defense is Offense by Gerzel · 2009-01-15 20:33 · Score: 4, Interesting
  
  Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.
  If the site offers a useful service which requires scripts you have to decide if it is worth the risk.
  While in most cases it is easy to tell and block only those sites you trust. Those that you don't block may also allow third party scripts to be run such as in ads on the site.
7. Re:The Best Defense is Offense by Gerzel · 2009-01-15 20:35 · Score: 2, Funny
  
  Elbonia uses trenches as we cannot afford your extravagant tubes.
8. Re:The Best Defense is Offense by Gerzel · 2009-01-15 20:37 · Score: 3, Funny
  
  4. Find out that the phisers are using a proxy to bounce off of.
  5. Find that proxy is some poor schmuck who got hacked.
  6. Realize poor schmuck is you.
  7. Boom.
9. Re:The Best Defense is Offense by ushering05401 · 2009-01-15 21:08 · Score: 5, Funny
  
  There's a simple technical solution to this:
  1. trace the phishing to their location
  2. send a missile to that location
  3. problem solved
  I don't get it. Then the bad guys would have a missile. That is worse, not better.
10. Re:The Best Defense is Offense by thetartanavenger · 2009-01-15 22:35 · Score: 2, Informative
  
  NoScript breaks my online banking. Yeah it's a good idea and I tried to use it for a while, but I found that no matter what exceptions I gave it when it came to my bank, it refused to allow me access. Don't know why, but it kinda kills your argument if you have to turn NoScript off completely to use your online banking.
  
  --
  Who need's speling and grammar?
11. Re:The Best Defense is Offense by DigitAl56K · 2009-01-15 22:48 · Score: 4, Informative
  
  Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.
  That slightly over-simplifies the protection that NoScript offers. For example, even when you allow script to run NoScript still provides protection against certain types of XSS, you can use it to force cookies to be exchanged over https for certain domains, it can block some plug-in types (Java, Flash, Silverlight), it features click-jacking protection, and just a couple of days ago it even added protection against attacks on twitter.
  So yes, you do have to make that trade-off, but even when you click "allow" you're potentially better off with NoScript installed than without it.
12. Re:The Best Defense is Offense by N1AK · 2009-01-16 00:31 · Score: 5, Insightful
  
  Slashdot: Where fining people for copyright infringement is wrong but killing people for stealing login details is "Insightful".
13. Re:The Best Defense is Offense by RonTheHurler · 2009-01-16 01:04 · Score: 5, Interesting
  
  How about this one-
  I got a letter in the mail (usps snailmail) from Bank of America asking for a lot of personal information that was missing from my account, and that if I didn't supply that information they'd have to report me to the IRS.
  The letter was spelled correctly, had proper grammar and even had the BofA logo printed in full color. The return address was a PO box in Dallas. Nothing fishy at all.
  Problem is, I don't have a BofA account. But I'm sure a LOT of other people do.
  Phishing - it's not just an on-line phenomenon.
14. Re:The Best Defense is Offense by indi0144 · 2009-01-16 02:32 · Score: 2, Interesting
  
  Call your bank! tell em you're going to the media as in "halp-my-buntu-box-does-not-do-word" unless they fix that. Happened here on my bank, they required IE 7 and I (and other fellow local geeks) called and emailed them so now they support Opera and Firefox.
15. Re:The Best Defense is Offense by Muad'Dave · 2009-01-16 02:32 · Score: 4, Insightful
  
  Maybe "you" do, and you don't know it. I think it would be prudent to call BoA, tell them what you received, and make sure someone isn't laundering money using an account opened with your SSN, name, or address.
  
  --
  Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
16. Re:The Best Defense is Offense by blueg3 · 2009-01-16 02:51 · Score: 2, Informative
  
  When you're currently visiting one site, and open a new tab and go to a different site, those two open tabs should have no capacity to share information -- they should function as if they were separate browser sessions. (Obviously this isn't the same as if you clicked on something in a tab that causes another tab or window to open, as they may need to share knowledge. But then, the fact that those two tabs/windows are tied to the same context should be made apparent to the user.)
XSS by AKAImBatman · 2009-01-15 17:08 · Score: 4, Informative

Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love.
A cross-site scripting attack sounds like a pretty typical attack vector to me. Javascript should not be able to "detect" if they have a banking site open. Pure and simple.

--
Javascript + Nintendo DSi = DSiCade
1. Re:XSS by AKAImBatman · 2009-01-15 17:21 · Score: 5, Insightful
  
  BTW, for those of you who are curious about this attack (and are too lazy to RTFA), this basically uses a common image set behind a protected login. e.g.
  
  <img src="https://www.mybank.com/protected/images/lock.gif" onerror="notLoggedInSoRefresh();" onload="hahaGotEm();">
  
  If you ping the blasted thing for long enough, you will be able to detect the user logging in. One pop-up later and you've stolen their info.
  Now protecting against this sort of issue is an interesting question. Ideally static resources should never be behind closed doors. But that answer is a bit of a cop-out. The next best thing is to ensure that session cookies are maintained inside the login tab ONLY and that persistent cookies are not used for auto-login.
  (Interesting question: I wonder if Chrome is vulnerable? With process isolation, this trick would require that the main Chrome process delegate the handling of session cookies. Which seems like a bad idea anyway, so I would hope they implemented the browser in a more secure manner.)
  
  --
  Javascript + Nintendo DSi = DSiCade
2. Re:XSS by Animaether · 2009-01-15 18:22 · Score: 3, Interesting
  
  so wait..
  as you explain it, I guess the idea is that once the user logs into the secure site, the malware script can magically access the lock.gif because the site and browser tell them that.. yup.. the user is logged in and thus should have access.
  however.. presumably, the script is not from a page that's actually -on- https://www.mybank.com/.. if it was, you and the bank probably have bigger problems.
  So let's say that instead it's on http://www.malware.lol/ - why would a script on a page from malware.lol be allowed access to a resource - in this case 'pinging' the 'lock.gif' - *on* https://www.mybank.com/ ?
  Is there any valid purpose for allowing something like that? I can understand it for non-secure sites.. from inlining content that's hosted on another domain to allowing local applications to grab data off of e.g. websites that do not provide a nice API. But for secure sites? I'm baffled.
3. Re:XSS by AKAImBatman · 2009-01-15 18:43 · Score: 5, Interesting
  
  So let's say that instead it's on http://www.malware.lol/ - why would a script on a page from malware.lol be allowed access to a resource - in this case 'pinging' the 'lock.gif' - *on* https://www.mybank.com/ ?
  There's a great deal of internet history behind this one. Originally, there were no barriers what so ever. Anyone could link anything from any page. Of course, as Javascript entered the scene and grew in sophistication, this was soon realized to be a problem. In result, most browsers adopted security behaviors for the really powerful stuff like XMLHttpRequest and locked out scripting across frames.
  However, that still leaves a hole like this one. And it's not an easy hole to plug. Quite a few sites are actually structured around the idea of cross-site linking. (e.g. The HTML may be www.mainsite.com while the images come from the web server media.mainsite.com.) Interestingly, this sort of structure is actually a solution to the problem posed. So it's difficult to dispose of it out of hand.
  Some of the web standards are moving toward highly restrictive models for HTTPS sites. e.g. HTTPS resources can only be accessed by pages whose origin is the same HTTPS site. More likely though, I expect to see more explicit security configurations along the lines of what Flash does. Flash uses a crossdomain.xml file on the target site to broadcast if a resource can be accessed or not. This scheme allows for situations like a media server separate from the primary site, but it also allows for those cross domain accesses to be tightly restricted.
  Of course, the scheme is not without its problems. Nothing prevents an attacker from transmitting information he may have collected TO a server that he has configured with a permissive policy file. If he finds a vulnerability that allows him to collect the information in the first place, he's going to be able to make off with the info scott-free.
  In result, web security is an ongoing area of research. It's incredibly complex due to the nature and history of the web, but standards bodies are working hard to find more reliable solutions that don't negatively impact existing sites and current usage.
  
  --
  Javascript + Nintendo DSi = DSiCade
4. Re:XSS by RockMFR · 2009-01-15 18:47 · Score: 2, Insightful
  
  There is nothing special about secure sites. HTTPS doesn't mean "this site is super special and you should do special things with it". This same attack can be applied to non-secure sites, too.
5. Re:XSS by hairyfeet · 2009-01-15 19:53 · Score: 2, Insightful
  
  And that one is JavaScript too. Has anyone else noticed that pretty much every piece of nasty coming down the pipe uses JavaScript? I've said it before and I'll say it again: JavaScript is a BAD Idea, just as ActiveX was a bad idea. They both are havens for malware. The only difference is ActiveX was Windows only. But in either case it is still a giant security hole. If this keeps up and enough folks are burned I could see it dying off just as ActiveX did.
  Now as for Noscript, while I use it every day it just isn't friendly for 99.999% of home users. What we need is a "simple" option setting for Noscript, perhaps set up by allowing the user to choose on first install, which instead of listing every single blockable element, would have a "play video" button which would look for *.flv, *.mp4, etc and play the video. Because it is video sites that have made Noscript useless for handing out to non techies. I have watched my customers and they quickly get frustrated because they can't figure out which of the dozen blocked elements is the video they want to see and soon start clicking "allow all on this page" which makes it as useless as Vista's UAC prompts. By having a "play video" option at the bottom you would still have the high security, since nothing is being run by default, but it would allow the non techs to play their videos without killing the security.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
6. Re:XSS by Animaether · 2009-01-16 01:29 · Score: 2, Insightful
  
  "There is nothing special about secure sites. HTTPS doesn't mean "this site is super special and you should do special things with it". This same attack can be applied to non-secure sites, too." - RockMFR (1022315)
  Well that's the thing - why not? They are superspecial to my browser already.. doing its certificate check and throwing a big fat "passport check" image at me (FireFox 3) if it think something's not quite up to snuff. I don't see why a page on anything other than https://www.mybank.com/ shouldn't be told to piss off.
  "Quite a few sites are actually structured around the idea of cross-site linking. (e.g. The HTML may be www.mainsite.com while the images come from the web server media.mainsite.com.)" - AKAImBatman (238306)
  That I understand - as per my post, for inlining things etc.
  However, I think that in the specific case you mentioned - e.g. media.. presumably images - those images *should* either come from the same domain as the secure site *or* come directly from an insecure site. Yes, a browser will pop up a warning that there's mixed content.. it does that for a reason, I would think. But the way around that is not to stick your images on a completely different-but-still-secure domain (I've not actually seen this, so for all I know that throws up an error as well anyway), but by keeping things on the same domain. Any sysadmin worth their pay can easily offload resources to a different media server if there's some manner of capacity issue at play that would have them put the media on a different domain otherwise.
  Maybe making things more strict would indeed break a few sites, but other than webmasters/sysadmins realizing they need to be more careful, I don't see the harm in that other than short-term mumbling and cursing from the aforementioned groups.
  crossdomain directives sound like another security problem just waiting to happen, in my humble opinion, but I'm certainly not an expert on that topic.
Simple Solution... by Klootzak · 2009-01-15 17:12 · Score: 4, Informative

Don't have multiple tabs/windows open while you're doing your online banking!!!

Oh, and use NoScript!

--
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
1. Re:Simple Solution... by X0563511 · 2009-01-15 17:24 · Score: 4, Insightful
  
  Once more, Darwin extends into the internet.
  Computers are tools. They do what they are told without question. The internet is made of computers. By extension, it is a tool that does exactly what it is told.
  Kind of like a handgun, and you don't (usually) let people run around with those without some kind of training.
  Also like a handgun, most tools don't care who is issuing the instructions - they just do it. That tablesaw doesn't care if it's a 2x4 or your forearm, it saws anyways.
  Yes, I'm an elitist bastard sometimes.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:Simple Solution... by Klootzak · 2009-01-15 17:24 · Score: 4, Informative
  
  Yelling "Install NoScript you n00bs!!!" won't register noobs... because they're newbs.
  Well, I wouldn't call them n00bs firstly... and secondly, most of the technically-savvy geeks/nerds I know read Slashdot and find out new and interesting stuff from here.
  
  One of the best things about Slashdot is if you write something on here, ALOT of people will take notice. So if by providing solutions/information that people can read and take away to tell other non-technically-savvy individuals helps protect at least one person from being scammed, I'm more than happy to yell on Slashdot about it ;)
  
  --
  A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
3. Re:Simple Solution... by j01123 · 2009-01-15 19:01 · Score: 3, Interesting
  
  Oh, and use NoScript!
  Another simple change is to set dom.disable_window_open_feature.location to true. That should make it pretty obvious when a popup comes from source different than what it's claiming.
Things to learn from this. by john.picard · 2009-01-15 17:23 · Score: 5, Insightful

The next thing you know, they'll make up a screen scraper in JavaScript. There are several things to learn from this. For the users, one, that you should completely clear your browser (Clear Private Data or similar) before going to a banking website, two that you should NEVER open other websites (or have them open) while you're signed in to a banking website, third that when you've finished banking, you should completely clear your browser again. For the browser makers (Firefox devs reading this?), third party cookies should be disabled by default, the option to turn them on should come with stern warnings, and each website can ONLY read cookies previously set by itself. Further when an encrypted page is opened, its memory should be such that other pages cannot access any part of it. In other words, the same sandboxing approach taken to deal with other security issues, within the browser for encrypted pages.
1. Re:Things to learn from this. by Fian · 2009-01-15 18:18 · Score: 5, Interesting
  
  Perhaps it is time to have a dedicated banking browser? One that does not use cookies/cache data/allow more that one tab etc etc
2. Re:Things to learn from this. by ljubom · 2009-01-15 19:23 · Score: 3, Insightful
  
  It would be cool to have firefox "mode" doing exactly this. Press an "online-banking" button and a new isolated firefox session would be started with all needed restrictions and settings.
3. Re:Things to learn from this. by failedlogic · 2009-01-15 20:35 · Score: 2, Interesting
  
  I try and shy away from online-Banking as much as I can. Never mind separate browser. I use a Live Linux DVD and load up my bank site from there. When I do this its boot, bank website, print if necessary, shutdown and back to Windows.
4. Re:Things to learn from this. by labnet · 2009-01-15 21:06 · Score: 2, Interesting
  
  Or you should get a one time key generator.
  My key changes every 60 seconds. Could they exploit this within that time frame. (Especially if I'm already logged on and the bank does not allow a second simultaneous login)
  
  --
  46137
5. Re:Things to learn from this. by OpenSourced · 2009-01-15 22:35 · Score: 3, Interesting
  
  I, for one, have a dedicated VMWare virtual machine with Ubuntu installed, and Firefox. Firefox has NoScript installed, is set to saving no user story, and I use it only for banking. I find the setup a bit unwieldy sometimes, but is sure safer.
  
  --
  Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
6. Re:Things to learn from this. by fprintf · 2009-01-16 01:06 · Score: 2, Interesting
  
  I'd bet this is something that could be created in GreaseMonkey or otherwise developed as an add-on for Firefox. It would certainly be an effort I would contribute to as this discussion is making me paranoid.
  
  --
  This post brought to you by your friendly neighborhood MBA.
Use a separate Firefox profile for banking by Anonymous Coward · 2009-01-15 17:27 · Score: 2, Interesting

This is why I use a separate Firefox profile for banking and bill paying. And I only have one tab open at a time.
The article doesn't describe the actual exploit by dmomo · 2009-01-15 17:31 · Score: 3, Interesting

The only way I can imagine that js on one site can detect if a user is logged into another (assuming the other site is secure and I cannot post js to it) would work like this:
Use an Asynchronous request to "curl" out to a well known page of that site and then "grep" the response for typical "you are not logged in" text. If it is not found, commence shenanigans.
BTW, this comment kind of made me roll my eyes:
"Klein says placing a low-profile piece of malicious JavaScript on a high-profile Website isn't difficult to do, and the malware is basically invisible to the user."
"Klein" makes it sound like this is a walk in the park. I don't know. After the myspace worm a few years back, I think validation and filtering on those sites has gotten pretty good. Low-profile sites? Sure. High-profile sites? Not so much. I'm not saying it's not possible, but "not difficult"... maybe Klein is just conceited.
1. Re:The article doesn't describe the actual exploit by dmomo · 2009-01-15 18:04 · Score: 2, Informative
  
  I agree. Most XSS attacks would require the banking site to have a vulnerability. This article implies that all one needs is a vulnerability on the first (high-profile) site.
more fixes for the security model by r00t · 2009-01-15 18:08 · Score: 3, Insightful

Any browser window containing content from more
than one security context must NOT display any
sort of lock icon, and must display a warning
banner.
"more than one" would include an https site that
uses some http images. It's not secure if it's
a mix.
A 'secure mode' for browsers? by dnwq · 2009-01-15 18:35 · Score: 4, Insightful

Internet Explorer has a porn^H^H^H^H privacy mode where privacy settings are locked down. Why not build an analagous 'secure mode' for Firefox or Konq. where security settings are all locked to high heaven for that browsing session only?

That way users can both bank online securely and not have half the web break for them because they've disabled javascript.
Re:Ban Pop-ups by robo_mojo · 2009-01-15 18:42 · Score: 2, Interesting

Javascript alerts would be fine, as long as they would stay only with their own content and not interrupt other tabs/windows or other programs on the system.
There is a very long-standing bugzilla bug about this for Mozilla, you can read:
https://bugzilla.mozilla.org/show_bug.cgi?id=59314
Bug 59314 - Alerts should be content-modal, not window-modal
(comment #39 describes a security problem that sounds similar to the problem here)
Lots of good ideas in that page about how alerts could be handled differently. I like the one where the alert becomes an infobar. If you aren't on that tab when the alert happens, you won't be forced to see it, and it can't interrupt anything else you're doing.
In the meantime, closing all open browser windows before you visit your bank site is still the safest thing to do.
Re:The article makes it sound so simple... by blueg3 · 2009-01-15 18:43 · Score: 4, Insightful

You don't need to hack a high-profile site to put malicious JavaScript on there. Most high-profile sites, directly or indirectly, load tons of third-party objects.
Advertising, for example, is an excellent JavaScript injection vector.
Re:Already dedicate browser sessions to banking on by totally+bogus+dude · 2009-01-15 21:04 · Score: 4, Informative

It's explained in a few comments above. You just reference a resource (usually an image) that requires you to be logged in at the target site in order to access. If your attempt fails, the user isn't logged in at that site. If it succeeds, you know the user is currently logged in.
paranoia-plus... by BrokenHalo · 2009-01-15 22:16 · Score: 5, Insightful

My paranoia has led me into a practice of doing my banking in a single browser session, clearing cookies, cache and history before and after, and closing/restarting the browser when finished.

Looks like I was right about the monsters behind the sofa after all.
1. Re:paranoia-plus... by stranger_to_himself · 2009-01-15 23:30 · Score: 4, Insightful
  
  My paranoia has led me into a practice of doing my banking in a single browser session, clearing cookies, cache and history before and after, and closing/restarting the browser when finished.
  My paranoia has led me into a practice of doing my banking by going to the bank.
2. Re:paranoia-plus... by Anonymous Coward · 2009-01-16 00:08 · Score: 2, Insightful
  
  SSL is far more secure than going to the bank and dealing with humans.
  Also, I have never heard of anyone dieing in a digital bank robbery.
3. Re:paranoia-plus... by eat+here_get+gas · 2009-01-16 01:34 · Score: 3, Funny
  
  because most bank robbery's do not occur in tooling shops.
  
  dieing indeed....
  
  --
  the significance of a signature is insignificant
4. Re:paranoia-plus... by SkyDude · 2009-01-16 02:16 · Score: 2, Funny
  
  My paranoia has led me into a practice of doing my banking by going to the bank.
  
  You insensitive clod. How do you get there - in your gasoline powered, carbon-emitting, smog-making car?
  A real /.er would stay in his basement and do his banking on the internet and not risk having to interact with other humans.......
  You must be new here.
  
  --
  == First cross river, then insult alligator.
Re:New ways to steal. by sincewhen · 2009-01-15 23:42 · Score: 2, Informative

Yes, it is apparently already being done on a large scale:
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

--
-- Braden's law of data: All data spends some of its lifetime in an excel spreadsheet.
No passwords by Haiyadragon · 2009-01-16 00:20 · Score: 2, Informative

Over here in the Netherlands most banks (maybe all) don't use passwords. In my case I have a card reader that will generate a code after I give it my card, PIN number and a code generated by the website. I have to do this to log in and to initiate transactions. That makes this attack pretty useless. Also, a prompt should always clearly indicate by which website it was called and it shouldn't block other tabs.
Noscript Is Pretty Much Geek-Only by reallocate · 2009-01-16 03:45 · Score: 3, Insightful

Noscript requires a level of knowledge about attacks, protocols, etc., that precludes it from being adopted outside the geek community.
A tool intended for widespread use needs to have two buttons: Safe and Unsafe.

--
-- Slashdot: When Public Access TV Says "No"