Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Alpha Phising [IE 6 WinXP SP2]

from [mikx] Network Security [Permanent Link]
Subject: Alpha Phising [IE 6 WinXP SP2]
Date: Thu, 26 Aug 2004 05:46:10 +0200
Tonight i got about 20 - awfully translated - german speaking phising mails. Therefore i thought a bit about phishing attacks and which of them are blocked in WinXP SP2.

After a while i created some proof-of-concept code that is capable of phishing data from any html form based login screen, even if SP2 is installed and Active Scripting is disabled. It runs without the need for cross site scripting or spoofing entire websites. It can display any real login website in a frameset (that looks like a frameless page) and works as a "man-in-the-middle" attack when the user submits his login data. It is in most cases transparent, meaning the login process isn't interrupted at all (if the server accepts the form data as GET).

This demo shows a typical, password protected website (it's just a fake for demonstration). Type in any login/password combination and click "login" or hit return in the form. If the phishing works, you will see a javascript alert displaying the login data you typed in - this alert comes from the site hosting the iframe! When you close the alert, the script forwards the data to the server and performs the login. In a real attack the alert would be replaced by mechanism to store the data, of course.

The NoScript Version is a little limited: you can focus the underlying "real" login forms when clicking exactly on their border and there is currently no forward to do the login after the data got phished (it's possible using a server side header redirect but not implemented). The intercepted data is displayed as a get request in a new window in this demo. This could also be done in a hidden frame of course.

1. JavaScript Version (inside Phishing frame, alerts on post)
http://www.mikx.de/alpha/index.php

2. NoScript Version (inside Phishing frame, opens new window on post)
http://www.mikx.de/alpha/index2.php

3. Login Website (just to compare)
http://www.mikx.de/alpha/login.php

4. Blog
http://www.mikx.de/index.php?p=2

I tried this script across multiple webservers/domains and even on my personal bank account login page - it would work. I will not release any "real world" samples for obvious reasons. Anyway, i assume there are already phising attacks like this out in the wild.

Technically the script is based on an iframe, forms and absolute positioned divs - it does not require Active Scripting! Therefore it triggers no cross site scripting protections, the hidden form fields intercepting the login data are only "hovering" above the iframe and there is no real script interaction.

Currently i can only try this using IE 6 on WinXP pro SP2 (all security settings to default). Feedback about other OS versions is appreciated.

To work around this vulnerability client side never click on links to open login pages and risk opening a framed website this way. Type URLs by hand or use Bookmarks. On server side use scripts that let a login page "break out" of framesets or warns when embedded in a frame. You could also try to detect those man-in-the-middle stuff by checking if the referrer of a form post comes from your server. This wouldn't stop the phising but at least would it break the "transparency" of the attack.

mikx


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Alpha Phising [IE 6 WinXP SP2], mikx <=
Previous by Date:  [Full-Disclosure] [ GLSA 200408-27 ] Gaim: New vulnerabilities, Sune Kloppenborg Jeppesen
Next by Date:  TSL-2004-0043 - multi, Trustix Security Advisor
Previous by Thread:  [Full-Disclosure] [ GLSA 200408-27 ] Gaim: New vulnerabilities, Sune Kloppenborg Jeppesen
Next by Thread:  TSL-2004-0043 - multi, Trustix Security Advisor
Indexes:  [Date] [Thread] [Top] [All Lists]