Some companies are just asking for it.

Lance James lancej at securescience.net
Fri Jun 24 00:15:26 EDT 2005


John Levine wrote:

>>My girlfriend just got an (apparently legitimate from what I can tell)
>>HTML email from her credit card company, complete with lots of lovely
>>images and an exhortation to sign up for their new secure online
>>"ShopSafe" service that apparently generates one time credit card
>>numbers on the fly.
>>    
>>
>
>  
>
John, I have some serious samples of "Consumer Mis-education" as it's 
been dubbed - I actually provided some of the samples in Aaron's report.

Side note, not only are the emails confusing, but every email that I get 
from a consumer, so far I've gotten (the american express in the 
powerpoint especially is really screwed) ebay, amex, bank of america all 
had major vulnerabilities that allow cross-user attacks within them. Not 
only that, to add to his report, with cross-user attacks (I'm probably 
preaching to the choir but, it's still interesting) you can foil SSL 
connections with the lock by using what I call a "Mixed-SSL" attack, 
where you have multiple frame control with your valid certs, but the 
domain url is https://www.americanexpress.com. This in essence only 
indicates one SSL cert, that being the banks site that you have injected 
code into and by walking the DOM you essentially use your certs to 
maintain the secure frame objects. (For a demo of this contact me offline).

There was a point - oh yes, with the emails - in most of these cases, 
there can be what I call a bulk mail "replay" attack. Assume a phisher 
has a "BofA" account, and receives the bulk mailings of the legitimate 
Financial Institution (FI). This is a safe assumption because in the 
past we have seen a phisher utilize a real BofA email and just replaced 
the links with poisoned links that used BofA's site to phish the user. 
So with some timing, a "replay" attack can be organized - since we 
establish that say "BofA" has some vulnerabilities in XSS (This is just 
an example, no offense to BofA), the phisher can wait for a commerical 
legitimate marketing campaign and then mix in his poisoned mass mailing 
within the same time frame as these are going out. This will not only 
confuse the customer, but when reported may get underestimated because 
the FI did in fact send out a mass-mail to their customers*. The 
poisoned URL with the real domain and real (SSL-MIX) lock at the bottom 
of the screen belonging to Bank of America (even though the phisher took 
over the site) could potentially increase ROI by inducing "misplaced 
trust" or cause severe lack of confidence within the already troubling 
concept of online banking.

-Lance

*Ironically, i did find a vulnerability previously in a certain FI mass 
mailing campaign that allowed me to arbitrarily subscribe anyone's email 
address to their campaign list and control settings for whether they get 
the "Solicited" Commercial Email. This adds to the effect since phishers 
can subscribe anyone, not just their customers.


>Shopsafe is rather nice.  I use it all the time, and it's written in
>flash which works on my FreeBSD laptop.
>
>On the other hand, MBNA's mail practices would be laughable if they
>weren't entirely in line with every other bank in the country.  If you
>read Dave Farber's IP list, a couple of days ago Bob Frankston sent in
>an alarmed note saying that some info from his Bank of America account
>had apparently been stolen and used in a phish, and I wrote to tell him
>that no, the mail was real, from the service bureau they use which has
>a name nobody outside the banking industry knows.
>
>Aaron Emigh of Radix Labs wrote to tell me about a talk he gave
>earlier this year at an Anti-Phishing Working Group earlier this year
>on this topic, which starts with a set of examples of real bank mail
>each of which looks phishier than the last.
>
>This is 30MB due to the voiceover, but if you have a fast web
>connection, it's worth running.  It needs Powerpoint:
>
> http://www.radixlabs.com/idtheft/aaron-emigh-education.pps
>
>Regards,
>John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
>Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
>"I dropped the toothpaste", said Tom, crestfallenly.
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>
>  
>


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list