Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Security Response remove filter
Showing posts by Davide Veneziano remove filter
Static Phishing Kit Pretends to be Dynamic
Davide Veneziano | 11 Mar 2009 | 0 comments

In my previous post, I discussed the different methods used by fraudsters to store and deliver stolen data from phished users. Even though drop-boxes are the most popular, nowadays we still notice several kits using old-style delivery methods. As a proof of concept, we detected a phishing kit employing a vulnerable “Form to Email" program to deliver the collected credentials to the fraudsters’ drop-box. As already discussed, the big advantage of adopting this technique is that the server hosting the phishing website does not need to be capable of running dynamic content, and so static HTML-only pages can be employed.

However, the amount of information that can be retrieved from users these days is larger than in the past; a couple of usernames and passwords is no longer enough information, since other pieces of data are often required to...

Read more
How Phishes Reach the Basket
Davide Veneziano | 13 Jan 2009 | 0 comments

My previous blog post highlighted both what a phishing kit is and what functionalities it usually provides to a fraudster who uses it throughout the duration of the social engineering attack known as phishing. I want now to focus my attention on the delivery methods used by this piece of software; that is, the way the information gathered from phished users is stored and ultimately delivered to the fraudster.
 
The evolution of the delivery methods is strictly related to the continued development of Web technologies. The first samples of phishing attacks we came in touch with years ago were entirely composed of static HTML-only pages. At that time, a server’s ability to host dynamic content was quite rare. Even then, any gathered credentials were usually sent to a vulnerable “Form to Email" program, which was a simple CGI script used to grab the parameters sent via a Web form and deliver them through an email...

Read more
Vulnerabilities in Malicious Code – Owning the Owners, Part 2
Davide Veneziano | 29 Oct 2008 | 0 comments

My previous post was intended to demonstrate that malicious software could also be affected by security vulnerabilities. The example considered a remote code execution in a PHP page used in a phishing attack. However, the debate is still open concerning the possibility that the security issue had been intentionally introduced as a back door.

I want to now focus my attention on another piece of malicious code used to control and coordinate the systems belonging to a particular botnet. A botnet is a group of infected zombie machines under a common control infrastructure; usually, a Web application is employed to remotely instruct the systems in order to pursue a variety of illicit purposes.

An authentication bypass vulnerability was found to be affecting the command and control Web interface used in this particular botnet, thereby allowing users to bypass the authentication mechanism and take the control of the botnet and its zombies....

Read more
Vulnerabilities in Malicious Code – Owning the Owners, Part I
Davide Veneziano | 17 Oct 2008 | 0 comments

Volume XIII of the Symantec Internet Security Threat Report highlighted the fact that the number of vulnerabilities affecting web applications is growing. However, these security issues are not only affecting common legitimate applications, but also malicious code. In fact, a source code analysis of several samples revealed serious vulnerabilities that could, ironically, open security holes in programs designed to compromise other users' security.

The investigation originated while analyzing a phishing kit (that is, a package containing a clone website of a financial institution) including a PHP page that was neither called nor apparently used by the fraudster to accomplish his task. The phishing kit contained the following code:

 

...

Read more
Did You Catch Some Phish?
Davide Veneziano | 29 Sep 2008 | 0 comments

The evolution of a phishing attack is quite straightforward. At first, the fraudsters compromise a vulnerable server and deploy a package called a "phishing kit," which contains a clone application of the targeted institution. Then, mass mailing activities, with the aim of reaching a large number of recipients, are accomplished. Finally, the fraudsters use social engineering techniques to entice victims to submit their credentials, from which the fraudsters attempt to derive valid credentials. This will only happen if the fraudsters are able to convince users that they should trust the phishing website, or at least be tricked into believing it is a legitimate site and not raise any suspicion. Of course, this is not always a painless task.

Symantec has carried out several forensics analyses in order to evaluate the distribution of phished users over the different phases described above. Specifically, I want to focus my attention on the portion of users submitting...

Read more
Server Log Analysis of Phishing Web Sites
Davide Veneziano | 03 Dec 2007 | 0 comments

Computer forensics is a powerful instrumentavailable to financial institutions in the battle against online fraud.During the analysis of a phishing attack many players need to beconsidered. As illustrated by Andrea Del Miglio,the role of email service providers is fundamental, but hostingcompanies as well as individual owners of compromised Web sites canreally help in enhancing the effectiveness of the analysis. Theinformation found within the log files of a compromised Web server cansupport forensics operations; precious details such as IP addressesbelonging to end-users, timestamps, and the visited URLs are allrecorded into these files. Additionally, the total number of visitorscan contribute to the evaluation of the real risk associated with eachsingle attack. That is to say, the more visitors a fraudulent Web sitehas, the higher the risk.

...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,918