|
|
TOP STORY — info you need to make Windows work
Readers find new phishing attacks
By Brian Livingston
The top story of the
May 6 issue
of Brian's Buzz on Windows revealed that hackers had found a way to hijack
the address bar of Internet Explorer, Netscape, and possibly other browsers.
This exploit makes it appear that you are visiting one site — such as
your online bank — whereas you are actually visiting a bogus site
that just happens to look exactly like your online bank.
This technique is used to enhance the diabolical effectiveness of "phishing."
In the typical phishing attack, millions
of e-mail messages are sent out by credit-card thieves. These messages tell the
recipients that they need to re-enter their passwords or other personal
information in order to "verify" their account at their bank, PayPal,
eBay, or whatever.
The e-mail message contains the identical logo and overall appearance as
your financial institution's legitimate messages. If you click the link
in the message, the Web site that opens in your browser looks good, too. But
the site, in fact, is a "throw-away" page. It will be abandoned as soon as the
thieves have collected thousands of credit-card numbers, passwords, or other
information from innocent Web users.
Because the phishing e-mails and Web pages look exactly like those of
legitimate companies, up to 5% of the recipients of these e-mails actually enter
the data that's requested, according to figures I quoted last issue from the
Anti-Phishing Working Group.
My article on this subject generated far more comment than the average
newsletter does. My readers are extremely offended (as am I) by the exploitation
of naïve users that phishing represents. The recent exploit, which grabs
browsers' address bars to make the trick harder to detect, is seen to make
phishing an even bigger threat to Internet users than it was originally.
What's worse, my readers have discovered additional exploits that haven't
yet been reported in major media. The comment below describes a new kind
of Internet worm that hijacks the Hosts file, a Windows resource that can be
subverted to re-direct any site you may type into an Internet browser.
Hackers use Hosts file to seize your browser
Reader Ed Perrone was the first to outline to me his experiences with
a hacker exploit that takes over the Hosts file. This is a standard Windows
file (it has no extension) that finds a requested remote computer —
on the Internet or on a local network — as an alternative to using a
domain name server (DNS).
More info
Perrone found to his horror that his Hosts file had been quietly corrupted
in an attempt to phish for his password at a site called E-gold.
This is an e-commerce service that, according to a Wired.com
article, is a legitimate way for individuals to send
each other payments in shares of gold bullion.
Please read this important cautionary tale:
-
"The article on hijacking the address bar really caught my interest, because I
was the near-victim of such a thing just a couple of months ago. However, my
experience was slightly different: The hijacker somehow altered my Hosts
file to redirect requests for www.e-gold.com to a fake e-gold site at his own
IP address.
"I never fall for the normal kinds of phishing e-mails. But this
scam was so smoothly executed that I actually had my password typed into the
password box at the fake site. All that was left was to click 'Log in.' But a
few things made me uncomfortable enough to contact e-gold first, and I was glad I
did!
"The 'clues' I noticed were several. First of all, I was getting numerous
'page not found' errors while clicking around the fake site. Some pages were
there, some weren't. That seemed strange for a professionally run site.
"The fake site actually did have an SSL certificate — but I got an IE
warning that the name on the certificate did not match the name of the site.
Another red flag. And, when logging into e-gold, your account number is
automatically filled in for you, via a cookie. When I attempted to log into the
fake site, I had to fill in the account number myself.
"All very subtle 'weirdness,' however. And only because I am very
paranoid and very aware of scams did I hesitate — and only
then, at the very last second. I'm convinced that most 'normal' users would
have just clicked right through. 'Oh, e-gold is having a bit of a problem
today—'
"I am still not sure how the culprits could have edited my Hosts file.
I had received an e-mail earlier that day, apparently from someone at
a gold-related message board I belong to, warning of a 'financial problem'
with e-gold and containing a link to a 'news article' on the subject.
I was curious, so I clicked the link. The 'article' did not seem convincing,
so I wrote it off as a crank e-mail, deleted the mail, and forgot all
about the Web site. A few hours later, however, when attempting to log
into my e-gold account, the weirdness began.
"So, unfortunately, I was not able to examine any code or see exactly how
altering my Hosts file was accomplished. But I am convinced that it was
this particular e-mail/Web site that did it.
"E-gold customer support told me immediately that it sounded like I was
accessing a fake site, and that I should check my Hosts file — and sure
enough, as soon as I looked, there it was.
"This exploit scared the dickens out of me — because it appears to me
that, if the Hosts file is altered without one's knowledge, then even the most
secure system and most paranoid person is susceptible to this. The address
bar shows 'http://www.e-gold.com,' but you are actually accessing
'255.255.255.255' [some anonymous hacker site obscured by the dotted-decimal
format].
"Are there any virus- or integrity-checkers that guard the Hosts file? I
think not.
"My solution was to make my Hosts file read-only. I also now have a
shortcut on my desktop and check the Hosts file every time I am going to a
financial site (PayPal, e-gold, etc.). But are normal users going to do
this? Have you ever heard of an exploit of this type?
"I apologize for the long-windedness of this letter; but like I said, this
one scares me. Because they can hijack the address bar without
any of the shenanigans you describe."
The malware that hijacked reader Perrone's Hosts file is probably a phishing
enabler known as Worm_Dumaru.ai (or a variant), according to a bulletin by
Trend Micro, a respected antivirus company. The rogue program sends the
information it captures back to a remote .ru (Russia) server.
Trend Micro discovered the worm, and detection became available, only 13 days
ago on May 7, the bulletin says. Other antivirus companies also now detect and
guard against it, sometimes describing it under other names.
The worm re-writes the Hosts file, according to Trend Micro, in part to
prevent the infected user's computer from accessing major antivirus sites,
including those of Symantec, F-Secure, Kaspersky, Sophos, and many others.
This would prevent the user's PC from downloading antivirus updates that
would detect and remove the worm.
The bulletin provides technical details about the worm's operations and
instructs users on how to clean the Hosts file manually, if necessary.
More info
Unfortunately, marking the Hosts file as read-only is not an
effective way to prevent this file from being hijacked by malware. Yes, this
might prevent the current version of the worm from writing to the file.
But it's not difficult to develop a worm that can remove the read-only flag,
change the Hosts file, then mark the file as read-only again so you wouldn't
notice that the status had ever changed.
A better form of protection is to use a major antivirus program and configure
it to update its antivirus signatures automatically and as frequently as
possible.
Of course, the best protection of all would be for Microsoft to ensure that
no Web site you visit can change the contents of the Hosts file or any other
file on your PC without your knowledge and consent. I'll evaluate security
changes such as this as they emerge from the Redmond software giant.
Can you re-position the address bar for safety?
Reader Brian Brener writes specifically about the fact that hackers can display
an address bar that replaces the legitimate one in your browser:
-
"A solution to this issue is fairly simple, I believe. IE has a little known
option to move the address bar. It can be dragged like any other IE toolbar.
I always drag it permanently to the top line — which has File, Edit,
View, Favorites, Tools, Help — and place it to the right in the empty
space. This saves me a line and increases window size, but may help this issue
by not being where the phishers expect."
In IE 6, you can drag your address bar and other toolbars around,
as long as the View, Toolbars, Lock Toolbars selection is
off in the main menu.
I don't believe this effectively prevents hackers from taking control of
the address bar, however. The same View menu in IE enables you to turn off your
address bar entirely, if you wish. An Internet virus, if it was skillfully
programmed, could probably turn off your legitimate address bar and turn on
its own address bar — in the same location the old one had occupied.
Again, updating your antivirus programs is a better form of protection.
Today's simple exploits will keep getting slicker
Brandon Carpenter writes that one of the flaws I wrote about in the
current generation of phishing software won't remain a flaw for long:
-
"In your May 6 e-mail newsletter, you mentioned the following as a weakness in
the 'phishing' address-bar replacement scam:
• Default color scheme only. At
this writing, the phishing code uses browser-detection techniques to display
an address bar that's appropriate for IE, Netscape, and so forth. But the fake
address bar uses only the default Windows colors. If you've configured Windows
to use a different color scheme, the fake address bar will look, well,
fake.
"With most modern browsers supporting cascading style sheets (CSS), this
weakness is easily overcome. Today's most popular browsers, including IE and
Mozilla, allow you to use CSS to specify system
colors
and fonts for just about any HTML
element. I've used these techniques, in HTML Applications (HTA) and Web pages,
to create simple applications that match the current system UI choices.
"With Mozilla, imitating the address bar becomes more difficult when a theme
other than one of the defaults is applied. Mozilla also has built-in pop-up
blocking. Mozilla rocks."
It's unfortunately true that phishing exploits will just become more and more
sophisticated, because real money is involved here. This is why it's crucial
for antivirus companies and Microsoft developers to distribute new tools
to give users stronger protection against these kinds of attacks.
I'm sending readers Perrone, Brener, and Carpenter gift certificates
for a book, CD, or DVD of their choice for sending me comments that I printed.
To send me more information about this, or to send me a tip on any other
subject, visit
WindowsSecrets.com/contact.
RECOMMENDED READING — my book reviews of tech topics
Network Security Hacks
If there were 100 things you could quickly do to make your network more
secure, wouldn't you want the list? That's what you get with Network
Security Hacks, the latest book in the inspired Hacks series from O'Reilly.
Author Andrew Lockhart — a contributor to the open-source
Snort-Wireless security project — has put together steps for
Windows as well as Unix and Linux. Just select the points that apply to
your particular environment.
More info:
United States /
Canada /
Elsewhere
Windows Server 2003 Security Infrastructures
Windows Server is the first line of defense in many companies, and Server
2003 definitely has a different security footprint than Windows 2000 Server.
If you're running Server 2003 — or you may be running it before you know
it — this is the book for you. Jan De Clercq, the Belgian-based author,
is a consultant for Hewlett-Packard on Windows, Exchange, and .Net security
and a recognized expert.
More info:
United States /
Canada /
Elsewhere
Microsoft Windows Command-Line Administrator's Pocket Consultant
I've always loved running programs at the command line, perhaps even more so as
Windows' graphical user interface has thoroughly engulfed it. The text-mode
console is still under there, if somewhat hidden. William Stanek shows you ways
to manage multiple servers and clients with concise commands and scripts. This
ain't your father's DOS.
More info:
United States /
Canada /
Elsewhere
FORWARDING INSTRUCTIONS — news gains value when
it's shared
Please share this information with your friends
You're encouraged to refer your friends and colleagues to this free
newsletter. Because most e-mail programs don't correctly display a formatted
message that's been forwarded, simply call people's attention to
the permanent Web address of this issue:
BriansBuzz.com/w/040520.
HERE'S A TIP — you'll get a better newsletter if you choose the
paid version
You're reading the free version of Brian's Buzz on Windows
Subscribers to the paid version receive additional information in each issue.
Some of the extras this week are:
- Help system is vulnerable in XP and 2003.
Microsoft has released a new patch to block a hole that attackers can remotely
exploit. But the update installs incorrectly in certain cases —
unless you know the secret.
- Phenomenal update info on 32 Microsoft products.
Someone (not Microsoft) has actually put together a massive guide to
every update and patch you need for myriad versions of Windows and other
Microsoft applications and add-ins. You'll read about it here first.
In addition, paying subscribers also are entitled to a bonus download at
least once every calendar quarter and enjoy access to all past paid
newsletter content.
To upgrade, simply make a contribution of any amount that you choose.
If you do this by June 2, 2004, you'll immediately be sent the full, paid
version of this week's newsletter.
To upgrade to the paid version, please visit
WindowsSecrets.com/upgrade.
Thanks in advance.
BRIAN'S BOOKSHELF — new e-books from the author
Spam-Proof Your E-Mail Address
This 27-page e-book in PDF format gives you step-by-step instructions
that can eliminate 97% of the spam that would otherwise clog your e-mail
account. You could call it "Brian Livingston's Spam Secrets." The book
is the result of months of experiments and tests I conducted, and I now
receive little or no spam to the addresses I used as guinea pigs. These tests
show that you can actually reduce your volume of spam to practically nothing,
not just battle an unstoppable and ever-growing flood. The methods I describe
work with Windows, Apple, and Linux and don't require any filters or block
lists — but you can use those in addition to the book's techniques, if you wish.
More info
WACKY WEB WEEK — playing for you the Internet's greatest bits
College alumnus has the last laugh
'Tis the season for college graduation ceremonies, and while most grads
are enduring some bureaucrat or another as their speaker, the matriculating
students of the College of William and Mary got — drum roll, please
— Jon Stewart, the funnyman of Comedy Central's "The Daily Show"
(picture, left).
Stewart actually, somehow, graduated from this selfsame college 20 years ago,
and he's back with a vengeance. From his very first words — "Thank you,
Mr. President, I had forgotten how crushingly dull these ceremonies are."
— he didn't disappoint.
Remarking on his own selection, Stewart said, "When I think back to the
people that have been in this position before me from Benjamin Franklin to
Queen Noor of Jordan, I can’t help but wonder what has happened to this place,"
adding, "As an alumnus, I have to say I believe we can do better."
It just rolls on from there. Oh, those college days...
More info
USEFUL LINKS — more stuff that's good to know
In this section, I provide links to stories I've reported in other media that
you might find interesting.
Make wireless easier and more secure
Can you imagine making wireless networking more secure — while at the
same time making it easier to set up? That's the promise of new technology
that's quietly making its way into everyday products that'll be available to
you in the next few months.
More info
How not to let users search your site
If your company allows visitors to search your site for information, you could
learn a lot by examining one of the worst user interfaces I've ever seen on
the Web. The illuminating example I'm going to tell you about is Medicare's
new prescription drug price-comparison engine.
More info
|
|
