Phishing For Bank Info Without Any Pesky Malware 232
Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."
Use a separate Firefox profile for banking (Score:2, Interesting)
This is why I use a separate Firefox profile for banking and bill paying. And I only have one tab open at a time.
The article doesn't describe the actual exploit (Score:4, Interesting)
The only way I can imagine that js on one site can detect if a user is logged into another (assuming the other site is secure and I cannot post js to it) would work like this:
Use an Asynchronous request to "curl" out to a well known page of that site and then "grep" the response for typical "you are not logged in" text. If it is not found, commence shenanigans.
BTW, this comment kind of made me roll my eyes:
"Klein says placing a low-profile piece of malicious JavaScript on a high-profile Website isn't difficult to do, and the malware is basically invisible to the user."
"Klein" makes it sound like this is a walk in the park. I don't know. After the myspace worm a few years back, I think validation and filtering on those sites has gotten pretty good. Low-profile sites? Sure. High-profile sites? Not so much. I'm not saying it's not possible, but "not difficult"... maybe Klein is just conceited.
Re:Things to learn from this. (Score:5, Interesting)
Perhaps it is time to have a dedicated banking browser? One that does not use cookies/cache data/allow more that one tab etc etc
Re:XSS (Score:4, Interesting)
so wait..
as you explain it, I guess the idea is that once the user logs into the secure site, the malware script can magically access the lock.gif because the site and browser tell them that.. yup.. the user is logged in and thus should have access.
however.. presumably, the script is not from a page that's actually -on- https://www.mybank.com/ [mybank.com].. if it was, you and the bank probably have bigger problems.
So let's say that instead it's on http://www.malware.lol/ [malware.lol] - why would a script on a page from malware.lol be allowed access to a resource - in this case 'pinging' the 'lock.gif' - *on* https://www.mybank.com/ [mybank.com] ?
Is there any valid purpose for allowing something like that? I can understand it for non-secure sites.. from inlining content that's hosted on another domain to allowing local applications to grab data off of e.g. websites that do not provide a nice API. But for secure sites? I'm baffled.
Re:Ban Pop-ups (Score:3, Interesting)
Javascript alerts would be fine, as long as they would stay only with their own content and not interrupt other tabs/windows or other programs on the system.
There is a very long-standing bugzilla bug about this for Mozilla, you can read:
https://bugzilla.mozilla.org/show_bug.cgi?id=59314 [mozilla.org]
Bug 59314 - Alerts should be content-modal, not window-modal
(comment #39 describes a security problem that sounds similar to the problem here)
Lots of good ideas in that page about how alerts could be handled differently. I like the one where the alert becomes an infobar. If you aren't on that tab when the alert happens, you won't be forced to see it, and it can't interrupt anything else you're doing.
In the meantime, closing all open browser windows before you visit your bank site is still the safest thing to do.
Re:XSS (Score:5, Interesting)
There's a great deal of internet history behind this one. Originally, there were no barriers what so ever. Anyone could link anything from any page. Of course, as Javascript entered the scene and grew in sophistication, this was soon realized to be a problem. In result, most browsers adopted security behaviors for the really powerful stuff like XMLHttpRequest and locked out scripting across frames.
However, that still leaves a hole like this one. And it's not an easy hole to plug. Quite a few sites are actually structured around the idea of cross-site linking. (e.g. The HTML may be www.mainsite.com while the images come from the web server media.mainsite.com.) Interestingly, this sort of structure is actually a solution to the problem posed. So it's difficult to dispose of it out of hand.
Some of the web standards are moving toward highly restrictive models for HTTPS sites. e.g. HTTPS resources can only be accessed by pages whose origin is the same HTTPS site. More likely though, I expect to see more explicit security configurations along the lines of what Flash does. Flash uses a crossdomain.xml file on the target site to broadcast if a resource can be accessed or not. This scheme allows for situations like a media server separate from the primary site, but it also allows for those cross domain accesses to be tightly restricted.
Of course, the scheme is not without its problems. Nothing prevents an attacker from transmitting information he may have collected TO a server that he has configured with a permissive policy file. If he finds a vulnerability that allows him to collect the information in the first place, he's going to be able to make off with the info scott-free.
In result, web security is an ongoing area of research. It's incredibly complex due to the nature and history of the web, but standards bodies are working hard to find more reliable solutions that don't negatively impact existing sites and current usage.
Re:Simple Solution... (Score:3, Interesting)
Oh, and use NoScript! [noscript.net]
Another simple change is to set dom.disable_window_open_feature.location [mozillazine.org] to true. That should make it pretty obvious when a popup comes from source different than what it's claiming.
Re:The Best Defense is Offense (Score:3, Interesting)
Re:The Best Defense is Offense (Score:1, Interesting)
Is that what interpol is supposed to be doing but if I recall right they are doing alot of work on getting fans to stop downloading music why dont they arrest the real criminals :(
Re:The Best Defense is Offense (Score:5, Interesting)
Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.
If the site offers a useful service which requires scripts you have to decide if it is worth the risk.
While in most cases it is easy to tell and block only those sites you trust. Those that you don't block may also allow third party scripts to be run such as in ads on the site.
Re:Things to learn from this. (Score:3, Interesting)
I try and shy away from online-Banking as much as I can. Never mind separate browser. I use a Live Linux DVD and load up my bank site from there. When I do this its boot, bank website, print if necessary, shutdown and back to Windows.
Re:Things to learn from this. (Score:3, Interesting)
Or you should get a one time key generator.
My key changes every 60 seconds. Could they exploit this within that time frame. (Especially if I'm already logged on and the bank does not allow a second simultaneous login)
Re:Things to learn from this. (Score:4, Interesting)
I, for one, have a dedicated VMWare virtual machine with Ubuntu installed, and Firefox. Firefox has NoScript installed, is set to saving no user story, and I use it only for banking. I find the setup a bit unwieldy sometimes, but is sure safer.
Re:The Best Defense is Offense (Score:5, Interesting)
How about this one-
I got a letter in the mail (usps snailmail) from Bank of America asking for a lot of personal information that was missing from my account, and that if I didn't supply that information they'd have to report me to the IRS.
The letter was spelled correctly, had proper grammar and even had the BofA logo printed in full color. The return address was a PO box in Dallas. Nothing fishy at all.
Problem is, I don't have a BofA account. But I'm sure a LOT of other people do.
Phishing - it's not just an on-line phenomenon.
Re:Things to learn from this. (Score:2, Interesting)
I'd bet this is something that could be created in GreaseMonkey or otherwise developed as an add-on for Firefox. It would certainly be an effort I would contribute to as this discussion is making me paranoid.
Re:The Best Defense is Offense (Score:2, Interesting)