Phishing & BotNets
In-session phishing Jan 08 2006 12:53AM
Matt Richard (matt richard gmail com) (1 replies)
Re: In-session phishing Jan 08 2006 10:14AM
Rafael San Miguel Carrasco (smcsoc yahoo es) (1 replies)
Re: In-session phishing Jan 08 2006 01:09PM
Matt Richard (matt richard gmail com) (1 replies)
Re: In-session phishing Jan 08 2006 11:47AM
Lance James (bugtraq securescience net) (1 replies)
Matt Richard wrote:

>On 1/8/06, Rafael San Miguel Carrasco <smcsoc (at) yahoo (dot) es [email concealed]> wrote:
>
>
>>Have you considered the fact that pop-up may be triggered as a result of
>>a second-order injection attack?
>>
>>
>
>The second hand description of the attack seems to strongly hint
>towards local malicious code but this idea seems plausible. One of
>the remediation steps that allegedly eliminated the attack was a full
>virus scan with the latest definitions as of 1/3/06. Of course this
>is the problem with second hand information, without knowing what the
>AV actually detected it could have been anything. For all we know the
>AV may have detected the specific phishing html page as so many of
>them not do.
>
>

Actually I was going to couple that, we've seen a few of those, but
there is malware that uses in-session phishing techniques:

W32.grams account siphoner seen at this link:
http://www.lurhq.com/grams.html - essentially it session rides the
victim when they go into e-gold and transfers money through a hidden
frame out to a phishers account. (this version that was analyzed had a
bug in it, but it demonstrates the mere possibilities).

Secondly - session riding and Cross-Site Request Forgery is possible in
many sites, which could allow even users that have logged into sites
recently but are not currently at that site, to have their data stolen
through session riding. A benign example of this is here:

http://ip.securescience.net/exploits/wishlist.html

This will add the "Phishing Exposed" book to the users wishlist at
amazon. View code for detail on the attack - but it depends on the
over-duration of the cookies on amazon (I think it's up to 90 days that
you are recognized and can do most things).

My two cents.

-Lance

Disclaimer - the example is not an attempt to advertise my book, just
demonstrate something that is benign.

>
>
>>Malicious Javascript code would have been injected by the attacker in
>>his or her own session, then triggered when other users log-in.
>>I remember someting similar (not in e-banking tough) happening a few
>>months ago.
>>
>>
>
>I would agree that I'm not familiar with any instances related to
>e-banking and in-session activity.
>
>--
>Matt Richard
>http://www.mullingsecurity.com
>
>
>
>

[ reply ]
New to phishing Feb 17 2006 10:32AM
Athanatos Manos (mathanatos gmail com) (1 replies)
Re: New to phishing Feb 21 2006 01:26PM
Alice Bryson (abryson bytefocus com) (1 replies)
Re: New to phishing Feb 21 2006 02:38PM
Athanatos Manos (mathanatos gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus