Security Watch

Next Phishing Attack Spreads its Net

Annoyed by popups? Just wail 'til you see this one.

Hacking/Denial of Service
There's a JavaScript origin spoofing vulnerability, in which a malicious Web page can be created that contains a link to a legitimate site. This link also contains code to open a JavaScript dialog box appearing to originate from the legitimate site. Microsoft released Security Advisory 902333. (Advisories, you may recall, are merely warnings from Microsoft about possible attacks; they're not patches, as Microsoft doesn't see it as a hole in a product.) Almost all browsers are vulnerable to this attack, which is most likely to manifest as a phishing attempt.

This type of attack can't be prevented without stopping a Web site from creating multiple popup dialogs. When the victim clicks on the legitimate link, a new browser window is opened to that site. Immediately thereafter, another JavaScript window is created directly on top of the legitimate window. The JavaScript window appears as if it's the inside of the legitimate window. From the victim's perspective, the contents of the malicious JavaScript window appears to be the content from the legitimate site.

So an attacker could place fields in the JavaScript window asking the victim to, for example, log into his banking site. The victim could look at the URL in the Address field of the Explorer Bar and see the legitimate address, or inspect the Status Bar and see, for example, a closed SSL lock. From all indications, the malicious input fields look legitimate.

This is just another example of how the World Wide Web was designed without security in mind. Popup advertising is a bane to most Internet users, leading to the hundreds of popup blockers. This latest attack combines popups with windows which don't appear to be complete browser windows. Both are highly desired by online advertisers, and the combination is, at least in this case, highly effective at fooling even astute and security-savvy users. The only way such an attempt could be detected would be for the user to select another window, or close one of the popup windows.

This one is almost definitely going to be put into widespread use on phishing sites.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

A number of sites, including TechWeb, SANS, VNUNET and Gartner are reporting increased activity on TCP port 445, a port associated with Windows SMB protocol. They're speculating that the increased activity is due to attackers searching for ways to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow vulnerability, which was patched in Microsoft's monthly security update for June with MS05-027.

Here's the problem with the conclusions, however: How can anyone base such speculation solely on port activity, without analyzing the actual attack code being presented? This port is amongst the most abused for attacking Windows systems, and is constantly under attack from thousands of hosts that have been compromised in the past.

Sigh ... I'm yawning.

Privacy
The FDIC has notified 6,000 current and former employees that their personal data may have been compromised in a security breach that occurred in early 2004. In several cases, the stolen data were used to obtain loans at a credit union. The FDIC says the case is one of "unauthorized release" of personal information, rather than an intrusion. The FBI is investigating.

Governance
The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web site for as long as four years.

There's a move in California to modify a state Senate bill to include notification if customers' information on paper records or tape backups are hacked.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular