JavaScript Botnet Sheds Light On Criminal Activity

CowboyRobot writes "Informatica64, a security research group, demonstrated the use of cached JavaScript to control computers connecting to a malicious proxy. 'The researchers found a variety of low-level criminals using their proxy server: fraudsters posing as British immigration officials offering work permits in hopes of stealing money and sensitive documents from their victims; a man pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket; and another fraudster selling nonexistent Yorkshire Terriers.'"

Really?

[Darkness404]

It is very likely that companies and governments are already using this technique to eavesdrop on criminal activity, Alonso said.

Really? How about them using it to eavesdrop on -everyone- regardless on if it is "criminal" or not. Plus, I'm sure governments have more invasive methods rather than just this.

Re:Really?

I was at this presentation-- it was a public access proxy. If you're going to risk sending information over a proxy *you do not run* then that is your own mistake.

Re:Really?

[girlintraining]

Plus, I'm sure governments have more invasive methods rather than just this.

Yes, in the sage words of Jon Stewart, "I'm sure big government feels its largest when it's in your anus."

This should shut down the naysayers

Yep, this is proof... Javascript is a real programming language.

Wrong again Slashdot

"... and another fraudster selling nonexistent Yorkshire Terriers.'"

Bullshit. Yorkshire Terriers most certainly exist.

But... non-existant Yorkies are the best!

It shouldn't be a crime to sell non-existant Yorkies. Just think of the ensuing peace and quiet of neighbors, because the would-be purchaser no longer has the cash for a real one. That man owes society nothing. Yay, society should reward him for performing such a public service.

implication for corporate networks

[tofupup]

i saw the talk a def con this weekend.

one of my take ways from this talk is when certain sites such as youtube/imgur/slashdot/reddit are
black listed due to corporate IT guidelines people often go to proxies to circumvent
this. So the net effect of black listing popular sites (besides being a pain) is to make your
network less secure.

imho ... wasted banwidth is better than getting hacked.

Re:uh... only if you run it

[Culture20]

Nobody in their right mind runs javascript from random sites any more

Nobody cares except computer security professionals. Sure, I run noscript, adblock, and requestpolicy in FF, but no one else I know does unless I force them. Tons of sysadmins and low-level techs in the IT field don't even bother or know why they should care. So people who should have a clue are still running javascript (and flash, pdfs, and random exploit laden images from web ads) from random sites. What do you think that means about non-IT folk? They're all doing it, and only changing the browser defaults will do anything about it.

Scale invariance

[bosef1]

Well, it looks like organized crime has found its own Etsy and Craigslist. I suppose it just demonstrates how the power of just-in-time communication and office automation can be an assest, even on the black market.

Re:uh... only if you run it

[hairyfeet]

Hell you can't even change browser defaults because "web designers" have gone suck fucking heavy with JavaScript that most sites will be completely unusable without it.

I used to try to get my customers to use NoScript but now its strictly ABP, why? Because it only takes a half a dozen "reload the page a dozen damned times trying to figure which of the 40 third party scripts loads the fucking content" easter egg hunts for people to become sick of it. Hell its gotten to the point i just sandbox the browser rather than mess with NoScript because i get sick of playing "Where's the content" 3 or 4 times for every. single. page. that I go to.

So if you want to bitch at somebody about the mess? Blame the website designers, a good 99% of whom has gone so damned heavy with third party scripts being loaded from everywhere that most of the time you can't even get the fricking content AT ALL without a ton of JavaScript loaded. And lets face it, its only gonna get worse with all the "HTML V5 Web 3.0 Apps in the cloud" crap coming down the line. To get most of that stuff to even function you have to load a half a dozen scripts from all over the place, what a mess.

Re:Obligatory Noscript fp

[Johann+Lau]

I am disappointed. I clicked the link out of sheer nostalgia , but it's 404. Then I actually typed goatse.cx into the address bar.. and someone is squatting on that domain alright, but not in the way I expected! So read up on wikipedia, and see that's very old news... FFS, what is the web coming to?

Re:uh... only if you run it

[hairyfeet]

Well that means NO HTML V5 apps, no map sites, most forums and video sites won't work...hell you might as well say 'If the site won't run on my Pentium 100 I'm not coming back!" for all the good it'll do.

That is why I've been saying for years instead of pushing HTML V5 the geeks of the world need to be pushing for the death of JavaScript. Just like ActiveX it was never designed for security, and its had so much shit bolted on over the years good luck trying to tack on any security at this late date.

We need a NEW website language, designed from the ground up with security in mind, where everything is locked in a low rights "penalty box" and the website owners will have to run content strictly on site if they want it to be seen. if they want to get that content from somewhere else? Fine but they should be required to load it to their own site and scan it BEFORE shoveling it along to the user!

JavaScript was cooked up in the days of dialup, when the web was frankly a safer place. its not like that anymore and just as we wouldn't trust an AV from the Win95 era to stop modern threats so too should we not expect a language designed during that time to have a security model useful in today's world.