new wave of phishing attacks against eBay

A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people’s websites to help steal credentials from victims.

The first attacks using this combined method of wildcard DNS records and XSS were detected by Netcraft on February 10th, although the source code behind the attacks suggest that the planning had begun a day earlier. The attacks have continued to the present day, and the fraudulent eBay login form remains accessible through the wildcard domains.

Fraudsters launched the attack using a number of sites that host vulnerable versions of iRedirector Subdomain Edition. This PHP and MySQL based system allows website owners to use wildcard DNS records on their domains to forward subdomains like http://user.example.com to URLs like http://www.example.com/members/~username.

A cross-site scripting vulnerability on the affected iRedirector sites is allowing the fraudsters to inject framesets into specific pages. These framesets load content from one of the fraudsters’ websites hosted in France at http://df0x.54.pl, which in turn loads an iframe located at http://0xdc4bdd88:88/ws/eBayISAPI.dll/. This injected iframe presents a fraudulent eBay login page, which prompts the victim to submit their eBay User ID and Password to a site hosted by Sudokwonkangnambonbujang in South Korea.

Because the vulnerable sites can be accessed via wildcard DNS records, the fraudsters have made the attacks look all the more convincing by making the hostnames look similar to those used by the genuine eBay login page. For example, the attack has used many hostnames that are similar to this:

phishing

phishing address

The hostnames used in these attacks also contain a seemingly random string of hexadecimal digits. These are simply MD5 hashes of small integers. It is likely that this semi-random measure is being used to try and bypass simplistic firewalls or email filters, which may not recognise fraudulent URLs if part of the hostname changes.

The unobtrusive methods used in the current wave of attacks have obvious appeal to fraudsters — the wildcard DNS records mean that it’s easy to use arbitrary hostnames for each attack, allowing each vulnerable site to be convincingly used for many different targets. Furthermore, there is no need for the fraudsters to fully compromise a website, as the cross-site scripting vulnerability allows the fraudulent content to be placed on the sites without gaining internal access to the server. Finally, all it takes is a simple Google search to find additional sites with the same vulnerabilities. The combination of these factors makes it entirely feasible to automate the whole process.


Sursa
2009-02-18 15:15:52



Comenteaza





Ultimele 25 posturi adăugate

04:40:33LACONICE —» Leo Butnaru
18:31:28Muzica unește generații. Gheorghe Mustea, sărbătorit la 75 de ani printr-un concert aniversar la Chișinău —» Curaj.TV | Media alternativă
18:31:28Muzica unește generații. Gheorghe Mustea, sărbătorit la 75 de ani printr-un concert aniversar la Chișinău —» Curaj.TV | Media alternativă
13:22:13Cu hijab-ul la defilare —» APort | "Pentru un român care știe citi, cel mai greu lucru e să nu scrie." I.L. Carag
18:56:52Păcălit de avocați și de magistrați (ru) —» Curaj.TV | Media alternativă
04:42:42METAMORFOZE ȘI (NE)LINIȘTI —» Leo Butnaru
19:07:21Primarul de Burlacu e din nou agresiv —» Curaj.TV | Media alternativă
17:01:45„Fii AgriCOOLtor!”: De la pasiunea pentru gătit la o carieră de viitor în gastronomie 💫 —» Sandu GRECU
05:36:29BACOVIA LICEAN... —» Leo Butnaru
14:27:38Moldoveanul care l-a bătut pe Figo. Secu-unicul: 29 de meciuri căpitan al URSS la fotbal. L-a vrut Bayern Munchen 💥🔥🚀 —» Sandu GRECU
12:47:29SCRIITORI - VICTIME ALE GULAGULUI —» Leo Butnaru
04:44:42DESPRE ȘAH ȘI NU NUMAI —» Leo Butnaru
18:49:09Handbalul a unit Moldova, România și Ucraina la Sîngerei: gazdele au câștigat Memorialul „Simion Prașcă” 🤾‍♂️ —» Sandu GRECU
08:54:32O întâlnire cu Teodor Buzu —» Biblioteca de Arte 'Tudor Arghezi'
20:01:51Un simplu Mulțumim, GEOTERMAL 🙏 —» Sandu GRECU
14:35:22„Cornova ungheneană” – la Biblioteca „Dimitrie Cantemir” —» BPR Ungheni's Blog
05:37:05RELAȚIA TA CU ALTER EGO —» Leo Butnaru
05:36:33RECITIND, REGÂNDIND ECLEZIASTUL —» Leo Butnaru
13:24:12Pocăința lui Ion Șoltoianu. O viață ca un scenariu de film. Despre pușcărie, politică și sport. Atenție, Rizea! 💥🔥🔝 —» Sandu GRECU
10:46:57Moldova, pe turnul emblematic al Vienei —» Fine Wine
10:24:00Modelul de succes al companiei „Garma Grup” inspiră viitoarea generație de AgriCOOLtori ☘️ —» Sandu GRECU
17:03:37PLUS LA PRECEDENTELE 11 —» Leo Butnaru
12:54:55PRINTRE LAUREAȚI —» Leo Butnaru
07:22:51Grand Gold pentru The Governor Saperavi Forte —» Fine Wine
13:52:30Carolina Bogatiuc: „Republica Moldova lucrează deja cu UE pe toate grupurile de capitole de negociere” ✨ —» Sandu GRECU