Video Screencast Help
Security Response

Site Jacking

Created: 21 Jul 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:58:31 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

It seems that there is an increased frequency of attacks where bogus links are placed on otherwise legitimate Web sites; these bogus links consequently send users that click on them to malicious pages. These malicious pages are hosted on a different domain and are built to mimic the legitimate site, and they can prompt a user to enter the username and password combination that would have been used on the original site. The username and password details can then be logged with the intention of future fraudulent use. For lack of a better name, I’ve started using the term "site jacking" to refer to this type of attack. This attack has some resemblance to phishing, except that instead of having a malicious link delivered via email, the link is “presented” on a well known (and even reputable) Web site.

There have been reported site jackings on MySpace and eBay. While people are unlikely to store sensitive financial data on social networking sites like MySpace, their username and password for MySpace may be the same as the username and password they use for other sites (for example, their online banking, brokerage account, or eBay Web sites). Additionally, some Web sites pop up warnings when you click on a link that forces you to leave the site, but it has been noted that users often ignore such warnings. In fact, users are often conditioned to ignore these warnings, especially since they are often following a legitimate link!

You can avoid becoming the victim of these attacks by using a good confidential information management tool. Symantec provides an information management tool in the beta release of Norton Confidential, which keeps track of Web sites that correspond to each unique username and password combination; therefore, it won’t enter a password onto a site other than the intended one. Another helpful information management technique is password “hashing”, where multiple unique passwords are securely derived from a single master password, using a cryptographic hashing function. The PwdHash browser extension tool (from the security lab at Stanford University) is designed to lessen the damage if a user does, in fact, divulge a password by mistake on a particular Web site, because that password will be unique to that site and the tool will hash passwords for any other sites that are visited. Also, PwdHash complements another Stanford security lab product known as SpoofGuard, which is a browser extension tool that is intended to alert the user when a browser is being redirected to a “spoofed” or site jacking Web site.

Please ensure that you take steps to make yourself aware of the threat of site jacking and to protect yourself against its effects. This includes using caution when you notice that your Web browser has popped up a warning that you are leaving a particular site or domain; this isn’t always a good thing, and it will require your full attention.