|
|  | Google can be Exploited to Assist Phishing Attacks | | | |
| Google and Yahoo have a number of URL redirection holes that can assist Phishing attacks, Trojan distribution, spammers, etc. Proof of Concept follows.
With phishing messages becoming very creative, realistic looking, and free of spelling errors, it is very important that people are able to verify the links. The same applies to URL's on web pages such as bulletin boards and other forums. If a user floats their cursor over a link, it should show them where that link is going to take them. But that is not always the case and two of the biggest search engines are contributing to the problem.
Some details of these vulnerabilities have been reported before, but the problems have not been fixed. NIST.org has discovered that there are ways the bad guys can make these vulnerabilities even more deceptive. The following example shows how a URL sent in an eMail message or embedded on a webpage can have its true location masked with the help of Google. Float your cursor over the following links and then click on it to see what you get (press backspace twice quickly to return here):
Notice that you did not end up on Google's site even though the text above and the URL on the status bar indicated that you would. Note that the real URL embedded above (especially in the first Firefox example) is not recognizable as a URL to most people. For once, IE users are a little better off; IE 6 does not allow the dWord obfuscated URL shown in the first example. But most people may not recognize the IP address as a URL without the 'http:' included.
As mentioned this is not a new problem. This was reported on WebApp Security listserv back in January 2006. But those examples included a http:// and a fully qualified domain name (human readable address). The first example above uses a Dword equivalent of the IP address. The second example is an IP address. Neither use the http:// prefix. If this was a real spam or hacking attempt the URL in the address bar would be again redirected on the destination site so that it looked less obvious. The examples here have destinations of very popular, and harmless, websites. But of course the links could point to something much worse if sent from someone with malicious intent.
Yahoo has similar problems in that they utilize URL redirection without it having to load from one of their pages. But we have not found a way to hide the http:// part.
But Yahoo's redirector requires the http:// so it is a bit more obvious. Though many users would probably fall for it.
The Google redirect can be further amplified by mucking with the URL a little more. Float your cursor over this example and then try telling me that it would not fool most end users:
- PayPal.com
- Or here is a really good one that works with both IE and Firefox : Paypal.com
Note the unusual string of numbers at the end of the URL.
Combine that with a little social engineering such as a mention of a Google / PayPal partnership and you will reel in a few more. Remember that the link above does not take you to Google or PayPal, such a link could take you anywhere the bad guy wanted. In this case, the link would probably take you someplace that looks very similar to PayPal with a small sidebar mentioning the fictitious Google partnership. Of course, it would also include a login screen so that they can steal your account information.
Google and Yahoo must fix this problem. Bank of America had the same issue and they took care of it. It would not be hard to assign a session ID to a user and require that to be a part of the URL submission for the redirect. The Google (or Yahoo) session ID would simply need to match what was assigned to a particular IP address. If they do not match, the URL was not assigned to that user by Google. Surely there are other ways to fix this as well.
You can read more regarding the original notice to Google that outlined the vulnerability at Seclists.org
| |
          
|
Latest NIST.org news and comments |
|
|
|
|
|
| Training / Books
»Security Certifications -
» CISSP, SSCP, Security+, etc.
»Computer Forensics
»Ethical Hacking
»Malware, Spyware, Viruses
»FISMA Compliance, Policies, etc
»PKI, Encryption, Smartcards
»Windows Security Guides
»HIPAA, SOX, CISP, etc.
|
NIST.org Security Bookstore
|
|
|
Our news can be syndicated by using these rss feeds.
|
|
|
