(Apr 22) Updated qemu-kvm packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More…]
Fraudsters have taken to Microsoft Azure to deploy phishing sites, taking advantage of Microsoft’s free 30-day trial.
In order to get a phishing site hosted at Azure, the fraudster has several options: steal the credentials for a Microsoft account, compromise a virtual machine running at Azure, or use Microsoft’s free trial which provides $200 of credit. Given the number of subdomains registered explicitly for phishing, it is unlikely that many fraudsters are exploiting legitimate customers’ virtual machines.
Microsoft Azure offers free subdomains to users: azurewebsites.net for its Azure Web Sites service and cloudapp.net for Cloud Apps and virtual machines. Almost twice as many phishing sites used azurewebsites.net rather than cloudapp.net, perhaps reflecting the ease-of-use of Azure Web Sites. The remainder of the phishing sites are accessed using their IP addresses or custom domains.
An Apple phishing site on itune-billing2update-ssl-apple.azurewebsites.net (Site Report).
Many of the subdomains are clearly registered with the intention of phishing; the table below includes some of the most egregious examples targeting well-known institutions.
| Subdomain | Target |
|---|---|
| itune-billing2update-ssl-apple.azurewebsites.net | Apple |
| paypalscurity.azurewebsites.net | PayPal |
| www22online-americanexpress.azurewebsites.net | American Express |
| 3seb-verifiedbyvisa.azurewebsites.net | Visa |
| login-comcastforceauthn.azurewebsites.net | Comcast |
| cielo-2014.cloudapp.net | Cielo |
Microsoft Azure Web Sites also offers fraudsters the ability to use an SSL certificate. All subdomains of azurewebsites.net are automatically accessible via HTTPS using a *.azurewebsites.net SSL certificate. The Apple phishing site featured below includes mixed content, indicating it was probably not designed with SSL in mind despite its subdomain: itune-billing2update-ssl-apple. Phishing sites that make proper use of the wildcard SSL certificate may be able to instil more trust than those that do not.
An SSL certificate on itune-billing2update-ssl-apple.azurewebsites.net (Site Report).
The Baseline Requirements that forms part of Mozilla’s CA policy suggests that the SSL certificate must be revoked within 24 hours: “The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: [..] [t]he CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name”. However, Microsoft itself issued the SSL certificate from its sub-CA of Verizon Business and has chosen not to revoke it. Moreover, the SSL certificate does not include an OCSP responder URL and is not served with a stapled response (which is also in violation of the Baseline Requirements) and consequently the SSL certificate is irrevocable in some major browsers, particularly Firefox.
Fraudsters are also using Microsoft-provided free email addresses (at live.com, hotmail.com, and outlook.com) to receive and store stolen phishing credentials. Fraudsters commonly use phishing kits to quickly deploy phishing sites — before deployment, the fraudster configures the phishing kit with his email address. If a victim is tricked by the phishing site into providing his credentials, they are sent back to the fraudster’s email address.
One fraudster used Azure to proxy his internet traffic when accessing the phishing site, but was exposed when he used the same email address in the phishing kit as he used on his Facebook profile. The fraudster left the log file that records visits to the phishing site accessible to the public. The first two entries in the log, which preceded all other accesses by several hours, were from Microsoft Azure IP addresses. It is likely these correspond to the fraudster checking his phishing site was ready to be sent out to would-be victims.
<font color="#008000"><b>1</b> </font>137.117.104.222 - 2014-3-27 @ 02:56:03
<font color="#008000"><b>2</b> </font>137.117.104.222 - 2014-3-27 @ 02:57:16
<font color="#008000"><b>3</b> </font>109.<span style="background-color: #000000; color: #000000;">XXXXXXXXX</span> - 2014-3-27 @ 11:22:26
<font color="#008000"><b>4</b> </font>212.<span style="background-color: #000000; color: #000000;">XXXXXXXXX</span> - 2014-3-27 @ 11:39:47
<font color="#008000"><b>5</b> </font>62.<span style="background-color: #000000; color: #000000;">XXXXXXXXXXX</span> - 2014-3-27 @ 11:39:57
<font color="#008000"><b>6</b> </font>72.<span style="background-color: #000000; color: #000000;">XXXXXXXX</span> - 2014-3-27 @ 11:40:02
<font color="#008000"><b>7</b> </font>64.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:40:04
<font color="#008000"><b>8</b> </font>37.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:40:20
<font color="#008000"><b>9</b> </font>194.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:47:18
<font color="#008000"><b>10</b> </font>194.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:47:20
<font color="#008000"><b>11</b> </font>89.<span style="background-color: #000000; color: #000000;">XXXXXXXXX</span> - 2014-3-27 @ 11:49:50
<font color="#008000"><b>12</b> </font>65.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:49:54
<font color="#008000"><b>13</b> </font>92.<span style="background-color: #000000; color: #000000;">XXXXXXXXX</span> - 2014-3-27 @ 11:49:56
<font color="#008000"><b>14</b> </font>37.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:51:20
<font color="#008000"><b>15</b> </font>94.<span style="background-color: #000000; color: #000000;">XXXXXXXXXX</span> - 2014-3-27 @ 11:51:24
<font color="#008000"><b>16</b> </font>62.<span style="background-color: #000000; color: #000000;">XXXXXXXXXXX</span> - 2014-3-27 @ 11:51:26
However, Microsoft may yet have a trick up its sleeve: customers must provide a phone number and credit card details in order to register for the trial. Whilst the credit card details could have been stolen in a previous phishing attack, physical access to a phone is required in order to register an account. This may prove to be the fraudsters’ downfall — in serious cases, information gathered from the fraudsters mobile phone could be used as evidence subject to the phone company’s cooperation and local police involvement.
Netcraft’s Domain Registration Risk service can be used to pre-empt fraud by highlighting domains or subdomains that are deceptively similar to legitimate websites run by banks and other institutions that are commonly targeted by fraudsters.
Fraudulent classified ads posted on eBay
have been exploiting an opportunity to establish convincing attacks against potential car buyers. Simply viewing one of the sneaky eBay ads causes the victim’s browser to instead request the same listing via an intermediate server, which subtly modifies the content of the page to the fraudster’s advantage.
1. Victim browses to one of the fraudulent listings on eBay.co.uk; 2. eBay returns the listing to the victim’s browser; 3. The fraudulent listing automatically redirects the browser to the attacker’s website, passing the eBay item number to a PHP script; 4. The attacker’s website uses the item number to fetch the same listing directly from ebay.co.uk; 5. eBay returns the listing to the attacker’s website; 6. The attacker modifies the real eBay page before returning it to the victim’s browser.
When a customer views one of the fraudulent ads on eBay, specially crafted JavaScript embedded within the item’s description will automatically redirect the victim’s browser to the attacker’s website. The eBay item number is passed to a PHP script on the attacker’s site, which allows it to fetch the same listing from ebay.co.uk before delivering a slightly altered version to the victim.
Most customers would not expect their browser to end up on a different website by merely viewing a listing on the real eBay website, which makes this attack dangerously effective. Additionally, because the modified listing looks extremely similar to the real thing (and displays the item they were expecting to see), it is likely that many victims would have no cause to suspect that the bogus content is being served from a completely different website. Although there are still a few small clues for the wary, this apparent weakness in the eBay platform is certainly much easier to exploit than a completely undetectable
man-in-the-middle attack.
Interestingly, the only significant differences on the modified page are that the Email the seller and the Ask a question links have been replaced with different links which send an email directly to [email protected]. On the real eBay website, these parts of the page cannot be altered because the item description is displayed within an iframe, making any JavaScript within the description unable to directly alter the contents of the parent window.
By encouraging victims to immediately establish an email dialogue outside of the eBay website, the fraudster can attempt to secure money through non-reversible payment methods without eBay being able to monitor even the initial communication.
Victims are unlikely to be spooked by having to deal directly with the seller. While eBay’s terms and conditions forbid anyone to buy or sell outside eBay, this applies only to its auction-style and Buy-It-Now listing formats. This scam makes use of eBay’s newer classified ad listing format, where a purchase can only be carried out by dealing directly with the seller. In these cases, the victim would not be covered under eBay’s buyer protection policy, nor would they be able to leave negative feedback which might alert other potential victims.
The fraudulent listings used in these attacks are posted from compromised eBay accounts, which allows the fraudster to piggyback on the trustworthiness and reputation of established sellers. If these compromised accounts have accrued lots of positive feedback from previous auctions, then this will also serve to leverage the trust of potential victims much more than a brand new account possibly could.
This type of attack is rather subtle considering the other opportunities that could have been exploited by the fraudster. Most obviously, the fraudster could have attempted to steal login credentials by presenting a spoof login form, but clicking on the Buy it now or Make offer buttons, or the My eBay menu item, actually directs the victim to the real eBay login page instead. However, the subtle changes that are made are the only ones necessary for these types of listings — when it is possible to score thousands of pounds with a single fraudulent sale via email, perhaps it is not worth attracting undue attention by also phishing for account details.
The man-in-the-middle scenario is made possible by the inclusion of arbitrary JavaScript in the fraudulent listings. eBay’s
HTML and JavaScript policy explicitly prohibits the use of JavaScript to redirect a user from eBay to another webpage, but this rule is clearly being flouted. Accounts may be suspended for breaching the guidelines in this policy, which is another reason why it is common to see fraudulent listings being posted from compromised eBay accounts – whether or not these accounts get permanently suspended is largely inconsequential to the attacker.
Banning nefarious JavaScript through policy alone is rather ineffective, as fraudsters aren’t going to mind breaking the rules. Given the potential for misuse, the lack of sufficient technical measures to prevent malicious scripts being embedded within an eBay listing poses a security risk, and the fraudulent listings posted on eBay over the past week demonstrate that this issue can be exploited rather effectively.
Because the description of an eBay listing is displayed within an iframe, the attack relies on being able to use a hyperlink to change the location of the parent window. This could be prevented by using HTML5’s sandboxing features, which would cause a hyperlink with a target="_top" attribute to do nothing. The framed content would only be able to navigate within itself and not change the contact details in the surrounding top-level parent.
Although the fraudulent listings are eventually deleted by eBay, the same fraudster keeps coming back for more.
Buster Jack — who regularly reports such scams to eBay — noted a
similar attack by the same fraudster more than a week ago, which presented the modified content via the yugoslavic.info domain. In terms of value, Jack told Netcraft that the used car market is the most serious area of fraud on eBay.
Within the past week, Netcraft has blocked more than 20 other websites that the same fraudster had been using to modify the content of eBay listings. All of these sites used the .info top-level domain, shared the same IP address, and were hosted by HostGator in the United States.
The
Scamwarners forum has documented similar cases of suspected fraudulent activity on the car trading website
Autotrader. Here, the same fraudster has attempted to get potential buyers to make contact via various email addresses under his regowner.co.uk domain, rather than by phone or via the Autotrader website. The affected listings have since been removed from the Autotrader website, but the regowner.co.uk domain is still operational and able to receive email. The domain name itself lends authority to the scam by pretending it has something to do with the
registered owner of a vehicle, and the
local part of the email address (the part before the @ symbol) was the same as the car’s
number plate, such as [email protected].
The regowner.co.uk domain was registered with eNom on 27 March and currently points to a holding page hosted by Arvixe in the UK. Despite the domain’s WHOIS registration type being set to “UK Individual“, the registrant’s address is purportedly in the United States. The .info domains used by the man-in-the-middle scripts were also registered last month, using an address in London.
(Apr 22) Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More…]
(Apr 23) Updated openshift-origin-broker and rubygem-openshift-origin-auth-remote-user packages that fix one security issue are now available for Red Hat OpenShift Enterprise 1.2.7. [More…]
67 queries. 8.5 mb Memory usage. 0.669 seconds.