It occured to me today as I looked over the referrer spam in my logs that it is particularly ineffective these days. For those of you who aren’t webmasters or don’t look at your logs very often, referrer spam is when spiders connect to your website and send a fake HTTP_REFERER (sic) header that incorrectly tells you that someone is linking to you. Most of the time it’s pretty ineffective, however, with Jeremiah’s CSS history hack, it might be far more useful.

It stands to reason if I’m an administrator of a website I’ve probably been to the homepage at some point in my last browser session. Of course I can turn that off the cross domain leakage with Safe History but no one uses that so the attack is pretty effective. If you know there is a single choke point (like a login page) that the administrator must use that’s even better, as they will have to use it to view their logs.

By verifying that the person looking at the logs is the person viewing the site in the logs the spammer can be sure that the webmaster views their logs and does something with them that may be effective in generating traffic. This is similar to how email spammers put tracking links on their email to watch open rates against particular emails (that’s why you should never auto-render images and you should never use the preview pane as that opens them automatically). Anyway, new attacks using this old hack are always interesting to me.

I was pretty amazed when I read this, but it is starting to make more and more sense the more I think about it, but “geek speak” is being used to defeat Baysean Spam filters. According to MessageLabs (who I happen to think is one of the best managed anti-spam services out there) using simple keywords can help reduce the likelyhood of something being caught as spam. And get this, one of the keywords mentioned is “XSS” of all things!

Like I said, it sorta makes sense when I started thinking about it. One of the most bizarre phenomenon was one time when I was writing a fairly indepth paper on the large scale effects of the 419 advanced fee fraud (if you don’t know what that is click here). While I was writing the fairly in depth technical explanation I sent it to a few trusted parties who I wanted to get input from. It never got there. It was impossible to get it to them because it kept getting marked as spam! I had to do all sorts of crazy things to disguise it in transit but still make it show up okay on the other end (basically I had to defeat the spam engine itself) but talk about a hassle!

Certain emails have certain characteristics. An email about cooking has the words “pots” and “spices”. An email about XSS has crazy filter evasion, and HTML markup galore. The heuristics of an email about XSS looks an awful lot like someone trying to evade filters and for the spam engine to not mark it as a false positive it has to tune itself looking for particular words that would whitelist an email that otherwise looked obfuscated or otherwise had a very high or alternately very low level of entropy.

Makes perfect sense! I guess the spam engines need some tuning now as XSS isn’t a marker of something particularly good or particularly bad as it turns out. I’ve seen the exact opposite thing happen where services have denied requests that have contained the word “XSS” in them. Talk about poor design - all you have to do is not use that word and you’re back up and running. XSS strikes again, in the most unlikely place!

Tim Tucker posted an interesting solution to some of the CAPTCHA solving stuff going around. He posted that to comment on his blog you must enter any data, as long as it’s incorrect. So as long as you don’t type in whatever you see and it is six characters long, it will be solved.

As the posted noted, this isn’t particularly good security, as a) it can be broken by anyone who views the site and knows that rule (therefore it’s not good against targeted attacks), and b) if it ever gains popularity it will become standard in splogging software. Still, it’s an interesting take on the same old problem of blog spam.

I’ve been talking with Jeremiah Grossman about his history revealer a lot over the past few days (I’ll probably talk more about it in some later post), but I started thinking about additional applications for knowing where someone was beyond the obvious stuff. It then occured to me that there is a way that porn sites and other blackhat websites can monetize traffic that they haven’t touched yet, to my knowledge.

There’s a pretty old trick where once the user clicks on a link they are immediately taken to another page. When the user finds that they are on a page that they aren’t interested in they hit back on their browser. When they do that they land back on the page with the redirect and they either get redirected again or to another website. This is a pretty aggrevating user experience that just makes them hit back on their browser twice quickly, use the history drop down or manually type in another website to escape the site. As they do so the malicious website looses that user - probably forever.

It just occured to me that there is a better way to monetize that traffic based on two factors that are known. The first is where the user is coming from. Thankfully most browsers send referrers. If you know the referrer of a search engine you can tell exactly what they were looking for and what all the other links on that page are. Stay with me.

When the user clicks back on their browser, instead of blindly sending them off into redirect land which is a highly frustrating experience, why not serve them up a page that looks exactly like what they would expect to see by hitting back on their browser? How does that help? Well if you can completely re-create the page that the user expected to see, you can change all the links on the page to things you own, with the possible exception of the previously viewed links (which you can know using Jeremiah’s trick). You can then hijack the rest of the links with JavaScript onclick events or just serve them up completely different links - either way. Instant page rank, without even trying!

Now the user gets the search experience they would expect but now you completely control everything the user will find upon searching and clicking. I bet more often than not the user won’t even notice they aren’t on the search engine website because they will be served up an exact replica. Without looking at the URL they will still be convinced because it looks exactly like the last page they were on, complete with the search results and the viewed links.

Of course if you do this you are risking getting lawyers all over you for trademark infringement blah blah, but I’m not sure most blackhats care about that kind of thing - if they can be located anyway.

Welp, I finally had it. Someone was using my stupid redirect finder for too long. I closed down access to the cgi logging portion for about a month, I explained it on the blog post for anyone who was interested and STILL I was getting spam in my logs. You’d think I would have built some failsafe into my own GreaseMonkey script to automatically shut it off, but no, I had to be secure, and make it completely invulerable to outside influence. I’m such an ass sometimes! The problem is it was spamming my logs like crazy. And yes, I can grep -v but I really don’t want to have to do that. I’d rather people just not spam my damned logs when I turn off access to the script anyway. So I had to think of a new way to get rid of that crap from my logs forever.

First we have to consider exactly what that tool was doing. Everytime it saw a potential redirect hole it queried an image on my server (which was really a CGI script). That script then logs the information for eventual retrieval (primarily for use in blackhat SEO actually, but also redirects are useful for spam and phishing attacks as well). Anyway, so it doesn’t do much. It doesn’t even display the image, so I can’t even put a goatse or tubgirl (hmmm, I wonder how many times I can throw those two terms into this post?) picture on every page they visit or anything. Time to think outside of the box, as I would imagine goatse or tubgirl might do.

A day or so later I was surfing around on, no, not for goatse or tubgirl, but rather my own damned site and I came across the solution: a popup! Why not hijack their computer with a mailto: popup every time they visit my page? Oh, it’s so simple I could have kicked myself for not thinking of it a month earlier - I’m feeling like goatse or tubgirl probably do right about now - all used up. Here’s the script:

#!/usr/bin/perl
print “Location: mailto:Dude, remove redirect from Greasemonkey already, I shut that crap down a month ago, email h\@ckers.org if you have questions\n\n”;

Yes, and just like that, poof! Almost all the traffic died down immediately. I guess people don’t like it when you force outlook or thunderbird to open on nearly every page view, just like people don’t like goatse or tubgirl. Go figure. But then I started thinking about it and there are other applications beyond a goatse or tubgirl substitute. One thing I’ve noticed is that lots of sites pull my favicon.ico file when linking to me. Most of them restrain the size so I can’t scar their website with the images of goatse or tubgirl so I’m left with little options. But what if I just want to let the user know, “Hey, guess what, stop stealing my bandwidth from your feed reader and download the picture already!” Not that they could do much about it on most systems since the user who will see it will have had nothing to do with it, but it sure would wake them up in a hurry.

Total goatse and tubgirl count, including this sentance? 8 times. I rule.

At one point or another I think I’ve been a part of almost every social networking site I’m even aware of. I really hate them, let me just tell you. Loath is a better word. Loath. Anyway. Here I am on LinkedIn loathing life, but one of my previous co-workers and I were making a game out of who could get the most contacts. Don’t ask me why, I really don’t know. At first I was playing fair, and then at one point that he started pulling ahead I resorted to adding my email address to the title so that people could add me at will. That’s not super interesting. But then it occured to me as I started getting requests from my co-workers, this is extremely game-able.

Personally, I’m not going to go messing around on LinkedIn, because most of the people I am networked to happen to actually know me and know it was me who was messing with them (and it’s not really my style anyway) but it’s a very real problem. You can send personalized requests to millions of users (spam).

“Yes, RSnake, but how?” Well, at one point I used to work for a company that was bought by a company and that company was bought by another company and that company was bought by another company. So it’s very difficult to figure out who you worked with because people left at various stages of the four companies, so you have to add yourself as having worked at all four companies to find everyone. But wait, why can’t I add… ANY company? I can!

So let’s say I want to make chummy chummy with a bunch of Google folks? It’s just a matter of saying I worked there at some point and adding enough people before people start adding you back. Free access to work email addresses of every major company! And the best part is I don’t have to say I continued to work there, I can then delete the fact that I pretended like I worked there and move on to the next company. Ouch.

This is clearly not LinkedIn’s idea behind this function. They don’t make money when you spam their users, and if you do, people will start abandoning the site right and left (meaning that would be one less site for me to visit every few weeks when I get one more peice of mail from someone adding me or asking me to get in contact with someone else - wouldn’t that be terrible)? So how would you detect something like this if you are architecting your own website? It’s a session variable that leaks too much information about it’s users that allows you to get in contact with them much easier than you would be able to normally.

I’m not aware of a web application scanner on earth that would find something so strange, but indeed, if you want to start spamming someone directly, or issuing targeted viruses/worms to mega companies, this is a perfect conduit for finding people in these huge companies, and targeting them directly. Remember our JavaScript scanner? “Hey, Joe, check out my new company, I just went to, I’d appreciate any feedback you could give since I know this is your area of expertise.” Even if they don’t know you, 9 out of 10 times they’ll click, and you’re in.

Social networking can lead to corporate security compromise. In the information age, social networking feels like one of the largest holes in online security.

There’s an interesting article that was published a few days ago in the BBC business section on identity theft. It struck me as amusing that they focused on offline causes of identity theft in the same breath that they were talking about online fraud. In my mind they are really night and day.

Then I was gone over the weekend and there was something on the news about Al Queda hacking into non-profit organizations and routing charitable donations to their accounts to fund activities. Now wether that is all hype or not, it’s a scary statistic. If you think you are donating to the red cross it’s pretty inconcievable that you are funding international terrorism. But when I started thinking about it, it made a lot of sense.

As a peice of anecdotal evidence I fit their offline demographic as a tad nomadic. I’ve moved several dozen times in the last ten years and in every case I ended up getting mail from people who had lived there prior to me. Sometimes it’s something as stupid as a magazine, but other times it’s social security information, tax records or otherwise super sensitive healthcare information. Scary! Not that I would ever do anything with that information but it’s concievable that it would be.

The marriage of offline and online fraud is an interesting proposition. I was talking to a Pakistani phisher at one point who was telling me how he actually walked down to the local ATM to withdraw money from the fake credit cards he had made from user information. In fact, he was convinced that the physical security of the ATM was the biggest flaw in the whole part of the phishing scheme. I probably wouldn’t agree with that, but it’s an interesting point.

Because the physical infrastructure isn’t there, the ATMs in remote countries cannot make real-time decisions based on information presented them at the terminals. So therefore all the information they have must be delt with at the time of the transaction (or shortly thereafter, as bandwidth and time permit). Of course batch settlment at the end of the day is a requirement, and in some cases a dedicated phone line is availible, but certainly not in all cases.

The physical reality of security is an overlooked portion of the web application. Granted, the international terrorism is a leap but that is the physical manifestation of an online security flaw. When the homeland security office starts saying “Patch up to stop terrorism” I’ll be amazed, but it’s not that inconcievable. Especially if you consider how many machines are compromised and used for hosting phishing sites, or used as bot armies for spam which propogates identity theft. The secret service is the arm that monitors and goes after the 419 nigerian spam so the presidential arm realizes that identity theft is one of the greatest threats to national security, and if web application security flaws encourage identity theft, the government should have particular interest in patching application security flaws. Quod erat demonstrandum.

So I have an insider at SES who has been reporting back some interesting things that came up during the conference there. Of particular note was some of the spider topics that came up that are particularly relevant to some of the search engine spider mapping that I’ve been doing (I haven’t talked about those projects on this blog so most of you won’t know what I’m talking about, but bear with me). For search engine optimization (SEO) this has a lot of relevance, especially for the blackhats.

So one of the points of particular interest was that the search engines are now considering adding some sort of certificate to their engines so you will know which engine is real and which one is fake. People fake browsers often to see what competitors are doing (no, I don’t do any of that on my sites, do don’t waste your time).

But this is relevant for being able to detect which bots are real and which ones are fake. That could have major impact on fingerprinting valid browsers, instead of current techniques which involve reverse DNS on IPs to see if it matches the host domain, or User-Agent detection (neither of which I’ve ever felt are particularly great at catching everything with no false positives. It’ll be interesting to see which companies do what. I think it’s a ways off before we see this implemented in any practical way, but it sure will make spamming robots more reliable.

Another interesting thing that came up was that one way users hack into websites is by looking at robots files to see if there is any information there that might point the hacker to a more useful location to attack. A concept of using IP delivery came up where you can deliver a robots.txt file only to robots from IP addresses that you want stopped. It sorta feels like a chicken and egg sort of thing where you have to know they are a robot before you can tell the robot that you don’t want the robot to do stuff. It also feels pretty exploitable, depending on how it is delivered. For Google, you can use Google’s translation service, or better yet, here is a Google cache of Microsoft’s robots.txt file. Nice try.

Then there was mention of a way to do IP delivery to the spider and give the user a “nocache,noindex” version, so they won’t see what the robots see for the meta descriptions so they can’t rank as high, even if they steal every word on the page. Again, exploitable, and obviously so via cache. So then Google apparently said it doesn’t penalize people for having “noindex” nad “nocache” on your pages. It just happens that both super good guys and super bad guys happen to use it. So it might hurt you in terms of heuristics, but it sure won’t kill you. Sounds like music to spammer’s ears.

Well, as if AOL/Google couldn’t shoot themselves in the foot enough this week, AOL/Google announces their intentions to open a free email/domain gateway. Tsk Tsk. What on earth are they thinking? Free? Email? Domain? Are you kidding me? You might as well fly a banner over the sendmail conference asking people to start using you as a spam/SEO gateway.

They announce their intentions to build this out in September. So what I’m more interested in than anything is what they intend to do to secure this horror they are building. CAPTCHA? Sure. Identity/background checks? Maybe, but phishing can provide plenty of those. Wow, just wow. Obviously their intention is to compete with Yahoo who is introducing $1.99 domains and has had free webmail forever. They are also have a free phone service to compete with Skype and Yahoo’s VOIP technology.

Something just freaks me out about AOL doing this. AOL has not historically been good at security. I asked a current AOL employee at one time with their fraud loss rates were, and he told me (not under NDA) that the numbers of compromised users are “in excess of a percentage point.” I asked him how much in excess, and he responded, “No comment.” Let’s just say it’s 1%, even though he said flat out that it was above that. If they have 20MM users, that’s 200,000 compromised accounts, with probably compromised identities, and therefore phone numbers, addresses, and who knows what else. Do they really think that this is a good idea? Those same people are the ones who have the most to gain by phishing. And how do you propagate phishing? Email! All a vicious cycle.

Not to mention the possibilities for SEO spam. Free domains? One of the biggest problems for SEO is getting cheap domains. Well there you have it folks. There’s nothing cheaper than free. Feel free… spam all you like. I can’t wait to see how their ToS reads, and see how they intend to protect against that spam. I wonder what their hosting will look like too. Maybe something similar to pages.google.com (I’m also not sure why they are offering competitive services to a major shareholder’s applications). It all seems very odd and poorly thought out.

Oh well, at least the browser companies are starting to act more intelligently.

I’ve been gone for a few days and one of the very first things I find in my inbox is an email that apparently wants me to click on a link. That link is going to Google. That link is a redirector. That link is obfuscated with URL encoding. Who knows what’s on that link! I’ve learened to distrust Google links, so I’m smart enough not to simply click on it without doing some investigations first. Let’s Look at the message, shall we?

You are our first warn http://www.google.com/url?q=%68%74%74%70%3A%2F%2F%69%6E%65%71%73%76%2E%73%63%68%65%6D%65%67%72%65%61%74%2E%63%6F%6D%2F%3F%6B%71%77%76%7A%6A%77%7A%66%63%65%75

I changed the unique string at the end, but otherwise this URL is intact and working. What is this? Well, by golly, it’s cialis/viagra spam! What have we learned? Google links are not to be trusted. Why would you allow your infrastructure to support spam redirection in emails? Should I start adding www.google.com to my anti-spam engines? Maybe to my content filters? I hate to say it, but I think I called this one.