new wave of phishing attacks against eBay

A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people’s websites to help steal credentials from victims.

The first attacks using this combined method of wildcard DNS records and XSS were detected by Netcraft on February 10th, although the source code behind the attacks suggest that the planning had begun a day earlier. The attacks have continued to the present day, and the fraudulent eBay login form remains accessible through the wildcard domains.

Fraudsters launched the attack using a number of sites that host vulnerable versions of iRedirector Subdomain Edition. This PHP and MySQL based system allows website owners to use wildcard DNS records on their domains to forward subdomains like http://user.example.com to URLs like http://www.example.com/members/~username.

A cross-site scripting vulnerability on the affected iRedirector sites is allowing the fraudsters to inject framesets into specific pages. These framesets load content from one of the fraudsters’ websites hosted in France at http://df0x.54.pl, which in turn loads an iframe located at http://0xdc4bdd88:88/ws/eBayISAPI.dll/. This injected iframe presents a fraudulent eBay login page, which prompts the victim to submit their eBay User ID and Password to a site hosted by Sudokwonkangnambonbujang in South Korea.

Because the vulnerable sites can be accessed via wildcard DNS records, the fraudsters have made the attacks look all the more convincing by making the hostnames look similar to those used by the genuine eBay login page. For example, the attack has used many hostnames that are similar to this:

phishing address

phishing address

The hostnames used in these attacks also contain a seemingly random string of hexadecimal digits. These are simply MD5 hashes of small integers. It is likely that this semi-random measure is being used to try and bypass simplistic firewalls or email filters, which may not recognise fraudulent URLs if part of the hostname changes.

The unobtrusive methods used in the current wave of attacks have obvious appeal to fraudsters — the wildcard DNS records mean that it’s easy to use arbitrary hostnames for each attack, allowing each vulnerable site to be convincingly used for many different targets. Furthermore, there is no need for the fraudsters to fully compromise a website, as the cross-site scripting vulnerability allows the fraudulent content to be placed on the sites without gaining internal access to the server. Finally, all it takes is a simple Google search to find additional sites with the same vulnerabilities. The combination of these factors makes it entirely feasible to automate the whole process.


Sursa
2009-02-18 15:15:52



Comenteaza





Ultimele 25 posturi adăugate

01:34:232020 Young Pacific Leaders Conference Now Accepting Applications —» plop andrei
01:11:15Open Call for Fellowship Applications, Academic Year 2020-2021 —» plop andrei
21:17:03Multumeste pentru Sanatate…multi nu o au —» Curaj.TV | Media alternativă
21:10:18Împlinirea Profeţiei timpului la Întâia venire a lui Cristos —» adevaruri biblice
19:52:43Revoltat de felul cum a fost tratat la MoldTelecom —» Curaj.TV | Media alternativă
19:42:02Trupurile neînsuflețite ale cetăţenilor ucraineni ucişi în accidentul aviatic din Iran au fost repatriate —» Elena Robu
18:34:36Mai este loc pentru cărți în era digitală? Din experiența personală —» Frinturi din suflet de femeie
18:19:48Încadrarea juridică a infracțiunii de furt calificat săvârșită prin scoaterea din funcțiune a sistemului de alarmă ori supraveghere —» Drept MD
18:18:59Transcenderea potențialului în deprinderi reale —» Victor Timotin | creează, inovează, dezvoltă și fii exemplu
12:14:08Un neică-nimeni aplică amenzi în parcare la Kaufland —» Curaj.TV | Media alternativă
11:34:47Produs autohton: cașcaval de Dancu —» Fine Wine
11:25:43Opinie – Teoria biscuiților și alegerile prezidențiale —» Curaj.TV | Media alternativă
10:15:04Wandboard Landhausstil —» Andrei Fornea
10:09:18Rustic Modern Dining Table —» Andrei Fornea
09:42:04The Young Leaders’ Forum in Budapest – Open Call for Application —» Informaţii pentru studenţi !
09:20:55#BlueMondayRomania – ședințe gratuite la psiholog în perioada 20-24 ianuarie —» Andrei Albu - omul alb cu gînduri negre
06:12:25Swedish Institute Creative Force Grant 2019-20 (Apply for up to SEK 100,000) —» plop andrei
05:32:15Сатирические новости Приднестровья —» Бессарабские хроники
03:51:51The Young Leaders’ Forum in Budapest – Open Call for Application —» plop andrei
03:36:11WORLD HEALTH ORGANIZATION (WHO) INTERNSHIP PROGRAM —» Informaţii pentru studenţi !
03:31:52WORLD HEALTH ORGANIZATION (WHO) INTERNSHIP PROGRAM —» plop andrei
21:33:07Apply for the 2020 edition of the European Charlemagne Youth Prize —» Informaţii pentru studenţi !
21:33:04THE BLUE BOOK TRAINEESHIP —» Informaţii pentru studenţi !
20:28:57Recenzie carte - Rețete de jocuri de Lawrence J. Cohen —» A little web world
20:18:48Gândirea pe termen scurt vs gândirea pe termen lung —» Victor Timotin | creează, inovează, dezvoltă și fii exemplu