Earlier this afternoon in Italy hundreds ofthousands of people received an email from a “friend” stating(approximately) the following:
You’re under investigation! Hide everything and be quick!!!Your name appeared this morning together with 150 more persons on thewebsite of CAFF in Rome. Check it by yourself, you’re on January’slist: the website is the following: http://www.site.tld/caff/
The email is relatively convincing and Symantec believes many users have actually visited the Web site:
The Web site look and feel is very similar to other Italiangovernment Web sites and also the choice of the...
The "referer" [sic] header is generallyused to track back-links in order to understand how a certain Web siteis being reached by its visitors (hyperlinks on other Web sites, searchengines, etc.) According to the RFC2616,“...the Referer request-header field allows the client to specify, forthe server's benefit, the address (URI) of the resource from which theRequest-URI was obtained (the "referrer", although the header field ismisspelled).”
In the online fraud arena, the referrer field can also be used todetect new phishing Web sites. Let’s use as an example the followingphishing site (which also happens to be a Rock Phish attack):
As discussed in the past,cross site scripting (XSS) can be exploited by phishers to build reallyeffective attacks. Today we have analyzed another similar attack thatincludes some enhanced features. The attack was exploiting an injectionflaw in an Internet banking application, specifically located in themodule used to display warning messages to users.
And then returned a page with the following in the body:
document.writeln([decoded_messages]);
Obviously the aim here is to have a single page display warningsthat are available to every module in the application. Because theinput was not properly sanitized the attackers used...
As anticipated in my first blog post,email service providers play a central role in the battle againstonline fraud. This is because they are often the only organization toown the data needed to support financial institutions and lawenforcement agencies in prosecuting criminals.
Most phishing sites are hosted on compromised Web servers and in thepast, stolen accounts were stored on local log files that phishers usedto save, using rather standard filenames (like “data.log” or “cc.txt,”where “cc” obviously stands for credit card). Web servers withdirectory listings that were enabled together with phishing kitanalysis quickly made this simple technique ineffective, becausefinancial institutions were able to read those files as well.Therefore, they were able to block stolen Internet banking accounts andcredit cards, thus...
Since May, phishing attacks against Italian banks have been a visiblebut rather limited phenomenon. Most financial institutions reactedquickly, setting-up proper fraud management processes, educationcampaigns for end users and technical countermeasures since early 2006.But in the last three months, Italian mailboxes have been flooded bymillions of phishing emails, moving the problem to the next level.
Number of single URLs per month (July 07 data includes attacks until July 27th) (Click image for larger view)
As the graph illustrates, the number of attacks grew 14 times since the2006 peak (127 in August) to the current 2007 peak (1735 last May).Attack...
