Welcome to the phishing pond

Posted: 21.7.2011 in Ei kategoriaa
Tags: ,

Yesterday something went wrong – Below is screenshot pointing out the problem. Read the rest of article to find out more details.

The screenshots had very common mistake – redirection. It’s very good tool for phishing attacks. If attacker has any possibilities to send e-mail to registered user, he is able to attack against the user. For example how many would have noticed the redirection bug if he got the e-mail message:

From: root@trusted-mail.net

Subject: E-mail validation

Please, validate that your e-mail address is still valid by logging in to the Trusted Mail. We are not requesting any passwords by e-mail and as you can see from link below, it is pointing to Trusted-mail.net. Make always sure that address bar has correct address.

So please, log in with this validation link:

https://trusted-mail.net/horde/imp/login.php?url=%68%74%74%70%73%3A%2F%2F%65%76%69%6C%68%61%78%6F%72%2E%63%6F%6D%2F%68%61%78%2F%74%72%75%73%74%65%64%2D%6D%61%69%6C%2F

Sincerely,

Mail admin of Trusted-Mail.com

That mail looks valid – doesn’t it? When redirection goes wrong, the attack against the service users is simple. It just takes few minutes to copy the original login page, change the form processing so that submitted data is stored to local file or database, and then redirect back to original site. It’s very difficult to notice, that the target site is actually new site and not the original one. At least I’m mistyping my passwords every now and then, and when the system says that password is wrong, I try to write it a bit more careful but without checking where my browser actually is.

So the failures are actually at many level. Bad web application is not validating its input correctly. I have written about that before at post “Phun with redirects“. But second is more fundamental failure. It’s at e-mail protocol. The From field is not validated. Attacker can give any From address and receiver wouldn’t notice that.

The original SMTP protocol was defined at RFC 821 year 1982. Back then there wasn’t need for security. And now it would be just too expensive to add new security layer, because everything has been implemented to use old and insecure protocol. Maybe at next bug report I should state:”The root cause for bug is Internet and its protocols.”

Advertisements
Comments
  1. ElizaF says:

    If you enter a bug “The root cause for bug is Internet and its protocols”, it will be closed as a Known Issue or worse again “By design” That is one of the hard things we have to accept as testers. We know there is an issue, we know the cause but for now, at least, nothing is going to be done about it.

    • Teemu Vesala says:

      Yeah. We have to accept that. But also we should communicate the problem for everyone else also and state the root cause to something which will be fixed. E.g. “Input validation” in this case. When I’m reporting security issues, I usually try to create some kind of scenario where I open up how the security issue is used to attack. There I can desribe that “alone this weren’t problem, but because there is other issues, this becomes real problem and security is compromised.”

  2. Very Nice and useful post. Thanks for sharing this.
    Thanks for the article Ian, excellent stuff.
    You can get info on Web Testing as well with some guidelines with different.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s