It’s true, because Firefox tells me so! I didn’t even realize it myself until my browser so nicely informed me that my post about extortion was potentially phishing for my password. And here I thought my site was working for me. All this time it was trying to steal my password! Thank god my browser is there to help me, cuz otherwise I would have… uhm… put my password in… somewhere… no, wait… maybe… uhm… on the page… uhm… I guess… hmmm… nothing here says password anywhere… maybe in that box that says comments… cuz that looks like it could steal stuff from me. I suppose you can sense my sarcasm, but really, come on. How is ha.ckers.org possibly anything like a phishing site? Click here to see what I saw this morning. As of the time of this blog post it’s still not fixed.

If there is anyone on earth who should be whitelisted, it’s this site, given the fact that there is zero chance I’d ever put a phishing site up on this website (if I wanted to be a bad guy, I sure as hell wouldn’t do it on my own site). Hell, I used to work on anti-phishing software. But this strikes me as strange. What is the vetting process involved in putting something on a suspected bad site anyway (clearly it’s not working)? From what I can tell there’s not much going on under the hood because there’s not a single thing on that page that looks anything like a phishing site.

If I had been running a big commercial site, this could have had severe impact on my ability to do business, and my reputation with my consumers. I don’t think most people realize how bad this kind of thing is. Ha.ckers.org is one of the few sites that really is not impacted at all by this sort of thing, but I know I’d feel differently if I were running an e-commerce site. Time to re-vamp the heuristics and the process boys. Color this security guy unimpressed.

Update: Apparently I am also put on the MSFT anti-phishing list as well Click here for a photo of that as well. So it looks like this isn’t heuristics based after all. Someone actually manually added me to the phishing list. Because that extortion post really looks scary. Nicely done guys.

Matt Cutts (the search engine guru at Google) just posted a few comments on this site and others that picked up the story that the redirection hole being used by phishers is now closed by adding a dialog warning you that you are being redirected (Click here for an example). That is good news because 1) clearly Google now can no longer deny it’s a hole - they themselves fixed it 2) some consumers may now be slightly safer, kinda. But as he himself said, this really isn’t a complete fix as this is only one of many known redirects in Google that have the potential of aiding phishing attacks.

There are 10 more redirects in Google that are still functional on this one URL alone. Google is riddled with these holes and they are incredibly easy to find. So while I applaud the fix, I am hardly impressed. It took over a year for this hole to get closed since I first announced it (you’ll notice the other three I mentioned in that post a year ago are still unfixed). There are at least 4 or 5 more that I’ve run across beyond that as well. It’s not even worth cataloging them at this point because there are so many left to fix.

So good job on fixing a small percent of the problem, but Google has got a very long road ahead of them before I’d trust clicking on any unscrutinized Google link I found on the web.

ThePost sent me this link to Dr. Markus Jakobsson explaining how click fraud and phishing works for Google employees. At first this talk was a complete snoozer (if you already know this stuff, it won’t be an eye opener but if you aren’t familiar with it, it’s worth listening to the first half an hour). But the second half of it is where it gets interesting.

Firstly, one thing he mentioned during the speech was that you could create a robot to spider the net looking for bad things - well it turns out there is an easier way for Google to do this - their own spyware. Since Google Web Accelerator is spyware, they can see whatever they want that the user sees - making it a canary account. The counter attack for fraudsters is to create tactics to avoid exploiting users with web accelerator and it would make sense anyway. What’s worse, having Spyware on your machine or making a bad guy a few cents by subverting your clicks - tough choice. He also says, he’s not sure if Google has a way to tell where users have been before - again, Google’s spyware is pretty convenient here too.

I thought it odd that the Google engineers didn’t understand how the browser anti-phishing stuff works (it’s sorta their job to know this stuff, isn’t it?) and Dr. Markus Jakobsson did not mention the anti phishing built into Firefox and Netscape either, but at least he did talk about some of the heuristics and laid to rest their misunderstanding of why a programmatic solution to phishing detection cannot work completely.

Frankly, I’d rather see Dr. Markus Jakobsson doing more Q&A rather than his speech because he obviously knows what he’s talking about and was much more interesting when he was just answering questions. Anyway, interesting 40 minute speech if you have the time (it’s got subtitles if you don’t want to play it out loud at work).

I’ve tried to explain how this works to a few reporters, but there are certain classes of phishers out there that seem to band together. Geographic dispersion is loose, as you might guess, but they are sort of basically chopped up into three groups of people, the Romanians/Eastern Europeans, the Chinese/Asians, and the Nigerians/North West Africans. Each have their own ways of attacking applications and phishing.

Romanians/Eastern Europeans: They tend to be the most skilled of the bunch. They think about scalability and they run their activities like a business. They use modern exploits, and tend to come up with most of the cutting edge scams. They tend to be on the bleeding edge of new issues, and tend to tie in things like malware, pharming, and server exploits. They tend to be the ones creating the phishing kits. Like the others they have strong ties to organized crime, and have actually resorted to kidnapping and (presumed) killing of at least one government official. Due to their technical nature they are highly scalable even though there are probably fewer in numbers. They require the most hardware, and are assumed to have ties with lots of botnets.

Chinese/Asians: They tend to be copy-cats. They watch what the other groups do and mimic the same tactics, only months or years later. What they lack in innovation of exploits they make up for in volume and brute force attacks. They are relative newcomers to the world of phishing in comparison but they are growing rapidly.

Nigerians/North West Africans: They tend to have the lowest sophistication of the three groups, and primarily focus on ways of coming up with new variants of 419 scams. They tend to use people instead of automation and focus only on high dollar scams. They are most likely to make contact with the victim and actually will resort to strong arm tactics if they find out where you live. Would you want this nigerian debt collector after you?

All three groups have technical requirements, and all three groups span across national boundaries. The lax laws around cybercrime and the difficultly in getting machines and operations shut down in these various countries make it particularly easy for them to operate with relative ease at the moment.

Legislation is probably one of the least sexy parts of what we all work on, but I had a thought a while back that I never managed to circle back on. I used to work for a mega-company doing anti-phishing stuff (among lots of other tasks) and one day I decided to look into anti-phishing from a legal perspective. I never followed through with it, but this is a topic that I think deserves some debate, as I haven’t seen a lot of people talking about this, or sponsoring legislation I think has a snowballs chance in hell of helping.

I was doing an interview with InformationWeek today about anti-phishing (btw, any phishers reading this, if you are interested, they would like to have an interview with you - contact me and I’ll get you in touch with them). One of the questions that was asked (and is always asked every time I talk to high level people about this) is what people can do about it. I started down the same old path I always go down, patch up, use modern browsers with anti-phishing built in, blah blah. I hated the sound of my own voice. If you were to take the average IQ of the internet population, I doubt it would be higher than 90-95 at best. There is no way people reading that article are the target segment of the Internet.

If you take that to the next logical step, the people who need this help the most are also the least likely to know how to fix those issues or keep themselves safe. Taking it the next logical step there is no way for the average consumer to protect themselves. So who is it up to? To me it seems like it should be up to the people who actually do know how to fix these issues.

I’m not one of those people who is super into having laws dictate our lives, but this seems like an interesting idea. Current anti-phishing laws only apply to countries that have extradition treaties with us, and since when do phishers care about that anyway? What if we turned the law around and pointed it at the people who actually do know how to fix these issues for consumers - the ISPs? What if we made a law that said that ISPs must make a reasonable effort to subscribe to anti-phishing lists and they must shut down access to websites that have known phishing holes in them. Failure to do so could result in fines, and further, if a consumer is actually phished, the ISP is liable.

I’ve already talked to large ISPs who are using OpenDNS, but that’s not cutting it. OpenDNS only applies to sites that are linked to using a hostname, and many phishing sites use only IP addresses. So yes, it would painful for ISPs. Yes, it would extra cost. Yes, it would be annoying for researchers (maybe they have to call to get sites turned back on for them). Yes, it could cause DoS for websites that are caught as false positives, or virtual hosts on the same IP. All valid points, but none of them seem worth it to spend another billion dollars this year of Internet consumer’s money to finance the phishing market. Comments?

This morning Legionnaire sent me an email to a post that I thought was worth posting in case anyone else hadn’t seen it. Google is indexing blacklists for it’s anti-phishing technology, but in doing so is stealing usernames and passwords. Bummer! As if it isn’t hard enough to get people to adopt security now people can claim that Google’s built in security is spyware too (not that web accelerator isn’t spyware, but you get my drift).

There is a picture of this issue over on Finjan’s website that shows the accidental logging of the user’s credentials. You can see how Google is doing it, and it’s kinda scary. And the worst part is there really is no good way to insure that they aren’t in there other than either not allowing anything with a username/password pair in the blacklist (which could be used against them) or by trying to strip them out (which again, could be used against them). In these cases I doubt the phishers did anything special with those sites, but that’s not to say they couldn’t. Thanks for the link Legionnaire!

Am I going to have to eat my words? I was thumbing through some AV reports over the last few days and one report stuck out at me. Granted, I don’t follow each worm (not enough hours in the day for all the things I’d like to explore) but I was surprised to see a worm that had to do with Pharming. For those of you who are unfamiliar with the term, unlike phishing, pharming takes a more proactive approach by forcing people’s DNS entries to point to a different/malicious server. Frankly, I thought it was mostly the stuff of science fiction since no one could point to a single example of any instance of pharming greater than 100 people (a single ISP that got it’s DNS compromised). Granted, the trojan doesn’t mention pharming but that is the obvious next step if it isn’t already doing it (rather than just trying to get some click-through traffic on some websites).

Trojan.Flush.K also known as Trojan.Dnschanger modifies DNS entries on your Windows box and attempts to forward you to a malicious website. The obvious synergies with phishing attacks make this particular one stand out at me. Symantec rated this one very low (probably to do both with the lack of virulence and the ease of cleaning the system), but it’s interesting to note how potentially dangerous this could be if it were more widespread and written with more malice.

Thanks to Mark for sending this over, but there is a new phishing kit that acts as a man in the middle. According to the article the phishing kit simply acts as a PHP proxy to forward any requests directly through the proxy. That way it can detect anything you are typing or defeat any systems like sitekey that require that you see the image in question.

I can’t exactly say this is a major leap forward, because I’ve seen phishing sites that have similar levels of sophistication in automatic detection of whether the username/password was correct by checking in real time. However, this does represent a new variant that could render a lot of the more snake oil security products virtually useless. The one major disadvantage with this system is that it has to reside on a host and if the same IP is used over and over and over, that could set off a lot of alarms. Interesting nonetheless.

Michael Sutton has a good writeup on the Google blacklist that he released today. He sort of went over the obvious stats, who’s getting phished the most, where the phishers are hosting, etc… So for the most part it wasn’t that interesting to me personally (but I’ve been in this business for years). However, one thing did make me think. Michael mentioned that the lack of sophistication points towards the lack of need for sophistication.

Like any stats person would do, I had to think about what that really means. Is it that they don’t require sophistication or is it that they can’t achieve it. Who is building the phishing kits that they buy? Are these people the world’s best programmers? Are they going to build something that’s in vogue for a few days (a 0day browser exploit) only to have to re-code it a few days later when the patch roles?

Just like in any business the name of the game is scalability. You have to build a scalable product for as cheaply as possible. Just because x% people have anti-phishing in their browser doesn’t mean you don’t put it up. That’s like saying if you’re McDonalds you don’t want to stay in business because a certain slice of the population cares about early heart disease. Who cares? If it makes you money that’s all that’s important. Sophistication is not a current requirement for their business model. The scary thing is that with technology that is years old they are only now encountering tools that even put a dent in their business model.

That lack of sophistication in our own tools to detect and take down phishing sites is the real issue here. We (browser companies, AV companies, ISPs) have not created enough damage to their business to force them to adopt next generation tactics. So although they may have the arms necessary to fight a nuclear war, they don’t have to, because we’re still fighting with bows and arrows. They haven’t even scratched the surface of technical sophistication in their phishing attacks. And who could blame them? There’s no cost incentive to do so. We haven’t created that incentive yet.

Despite all the damage that Jeremiah and some of the other web application security people and I have done to web security over the last year, there has been some good. Not a lot but some. We’ve already talked about the top 10 worst web application security hacks this year (and it was a huge pain to narrow it down to 10, let me tell you) but it’s hard to come up with even ten good things that have happened this year for web application security. Let me outline what I think are the best things that have happened. But instead of coming up with a contrived list of 10, I’m going to list everything I can think of that actually impressed me about web application security over the last year - which was only 7 things). Don’t fear, I’ll break every one of them along the way.

1) Internet Explorer 7.0 and Firefox 2.0 finally got anti-phishing installed on their browsers by default. This was a huge win for consumers because it finally gave them an out of the box tool. No more would they have to know enough to download some tool to protect themselves. Only problem is it doesn’t work very well. We’ve found many ways around each of these tools. But at least they’re trying! And with upwards of 90% of the market share collectively between the two browsers, that’s a big dent - even with the holes.

2) Internet Explorer 7.0 closed down the JavaScript directive inside of image tag cross site scripting issue. That was one of the most annoying vectors out there. Images should not be a place for JavaScript, they should be a place for images. Nevertheless, Internet Explorer has finally fixed this issue. They also fixed one of the more esoteric things like variable width encoding in US-ASCII and UTF-8, which can lead to people being able to run JavaScript while the application thinks they aren’t even inside of an HTML tag. However, we are a long ways from done patching XSS holes, but hey, huge props to MS for fixing those issues. It brings them to a far more level playing field in terms of XSS with the other browsers. There’s no clear winner in the XSS browser wars at this point.

3) Stanford released their Safehistory Firefox plugin. This was an answer to Jeremiah’s question about do you feel safe allowing anyone to see your history. I know I don’t, so I went ahead and installed it and it worked great. Yah, but it turns out you don’t need to use CSS in this way do steal someone’s history. Not to mention the obvious looking at the referrer and other simple hacks. But whatever, Stanford is trying their best.

4) Another plugin was released to emulate Microsoft’s HTTPOnly inside Firefox. Great idea, Microsoft! I just wish Firefox would make this standard. But never fear, it’s breakable anyway, via XMLHttpRequest - but we knew that years ago when I believe Thor Larholm originally discussed this. Hey, at least it will slow the bad guys down a little.

5) There have been several tools released for developers including Microsoft’s .NET security framework. I took a look at it and wow, it works! I wonder how many people will go back and fix all their applications to use it. And furthermore I wonder how many developers use .NET. Hmm… this one might take a while to take affect.

6) Let’s also not forget HTML Purifier. It’s some of the best code I’ve seen to date to stop XSS. Unfortunately, it can’t protect you against server level hacks, like the Expect vulnerability, or DOM based XSS, or anti-DNS Pinning, the unpatched mhtml issue or other crazy XSS issues. But we have to start somewhere right?

7) Apache closed the Expect vulnerability. Yes, I know I just mentioned it in #6, but that was a big win. Previously all new installs of Apache would be vulnerable to the Expect vulnerability. No more. All future installs should be safe. But that does leave several million old and vulnerable installs out there…

So although I wouldn’t call this year a stunning success in terms of the security community making leaps and bounds over their adversaries, there was some good that came out of this year. Don’t let anyone tell you otherwise. But no, seriously, we did a lot more damage this year than I think has ever been done to internet security (at least within the last 4-5 years). Hopefully there will be some new tools and tactics over the coming year to close down some of the more dangerous emerging security issues out there.