Navigate This Site

Philip Ramsey Headlines

Sunday, July 18, 2010

CSI:Internet Episode 1: Alarm at the pizza service by Thorsten Holz

This article CSI:Internet Episode 1: Alarm at the pizza service goes a long way in explaining how the use of iFrames (a technology developed by Microsoft for inserting a web page into another web page) may be used to compromise web sites using SQL injection.

It is a bit long winded and a bit difficult to follow. However you should be able to grasp what is happening. Basically, Someone wrote a javascript (js) file and placed it on the web site of a famous pizza franchise (not in North America) using an iFrame with a dimension of 1px by 1px so that it is invisible to the eye. The js file connects to a web server that is under the control of the js author, downloads and installs a trojan on the pizza site visitors' Windows powered computer.

I always thought that since I used Linux I did not need to worry about these attacks that targeted Windows users. Was I wrong. Since these hackers are now using js, which runs on all operating systems (os) it is very easy to include a variable to the js to detect the os of the visitor in the form if {other os do this} else {Win32 run trojan installer}.

What I discovered today is someone had got the password to my Gmail account and used my account to spam me with a phishing attack. The weird part is how they got my email password - I was investigating the source of an email that came from Yahoo! account that has been hijacked by Russian/Chinese cyber-criminals. I have been doing this for a very long time in my effort to fight the spam and phishing attacks that reaches my inbox. Once I complete my research of the source of the attach and landing point or target url the phishers wants their victims to go to, I email the information to the ISPs whose computers are used in the attack to let them know they have computers that has been compromised and is used by cyber-criminals.

Apparently I have been very effective in shutting down rogue servers outside China while very effective in highlighting the fact that most of these attacks are carried out using servers operated in China to install the malware. Someone wanted to shut me up real bad especially since I started posting my responses and replies about the Yahoo! attacks to my blog. The most effective way to shut me up would be to hijack my Gmail account and use it to launch phishing attacks as well. But how did they get my email password? I have remote graphics and third party cookies turned off in my seamonkey browser and js turned off in seamonkey mail.

The answer is in the js at the destination url of the phishing attack. All the hacker has to do is add a shell command in the if{clause} or ifelse{clause} that loads a keystroke logger or some other runtime sensor into memory if the visitor is not using win32 os that captures my email password. Once I click send they got my email address and password. These hackers are very dangerous social engineers. Not everyone has either the time, will or knowledge to reverse engineer these cyber-attacks and when they do, they make themselves a target of attack as well.

It is my belief that the Chinese government is behind the vast majority of these phishing attacks and the only way to prove it will compromise your computer system thereby compromising your proof. The worst part is there are so many web servers all over the world that are controlled by cyber-criminals, cyber-terrorist and spammers that it is very difficult to prove where your specific attack originated. In my case, on two occasions in the past 10 weeks my Gmail account was compromised. In the first case I was investigating a phishing attack related the hijacked Yahoo account that led to a web site hosted on server in Russia. This web site listed prescribed drugs listed on a web site hosted on servers in China. The second phishing attack also involved the same hijacked Yahoo account but it led to a web site hosted on servers in Turkey that listed prescribed drugs on a Chinese web site. So the common denominator in both cases were Yahoo and China.

Powered by ScribeFire.

No comments:

Post a Comment