David Barroso Berrueta, S21sec: New objective of online fraud, control of domains
March 2008 by David Barroso Berrueta, R&D CTO, S21sec
In the context of the current online fraud situation S21sec can detect and in many cases prevent fraud attacks, often in the early preparation stage. Today Internet Trojans are capable of stealing access details to financial entities’ websites using increasingly sophisticated methods (BHO, process injection and man-in-the-middle). This article exposes a new method.
The most common scenario generally presents three very different elements:
1. An exploit that takes advantage of a weakness in a navigator, generally entered as an iframe in legitimate pages (infection method).
2. Malicious code that is downloaded once the aforementioned exploit occurs (Trojan).
3. A web application that stores the stolen details in the infected computer to be checked later on (control panel).
There are multiple combinations of this triad: use several websites, different Trojans, exploits for Internet Explorer, Firefox and Opera. The possibilities are almost endless.
To infect as many computers as possible the method of infection must be present in as many websites as possible, meaning it must also be present in extremely influential websites. The way to ‘infect’ legitimate sites is normally to exploit a particular weakness already present in the web portal (SSI, SQL Injection), which is quite effective. There is huge potential for this type of exploitation given the poor configuration of portals and the fact that there is hardly any updating done on the software they use.
Once a computer is infected, the malicious code obtains total control over the computer and starts to capture all the information sent by Internet, for example, usernames and passwords. Sometimes it redirects the user to phishing sites where the user might be persuaded to enter his or her details.
The situation described above has been going on for some time. The difference between then and now is in regard to new factors that imply greater risk for all types of organisations. The main differentiating factor is the control of Internet domains.
A control panel example like the one found below shows the number of computers infected in Spain as 68684.
Generally details stolen from infected computers are filtered from control panels in search of portals in some way related to a source of funds: financial institutions, auctions, online payments. However recent cases provide evidence of an interest in access details to register/modify/remove Internet domains (access details for the upkeep of these domains).
With this information an attacker can control:
• Total denials to the service, redirecting the main Internet domain (www.miempresa.com) to a non existent IP.
• Phishing attacks using the method mentioned in the previous point but redirecting all traffic to a malicious IP (www.miempresa.com to w.x.y.z)
• Un authorised sale/transfer of domains (domain miempresa.com)
• Change in domain contact details
• Redirect the domain’s mail traffic (MX register) to a malicious mail server that receives all electronic mail.
• Create subdomains (e.g.: infector.miempresa.com) subsequently used for malicious purposes (like infection methods for example)
Recent cases of fraud uncovered by S21sec involved several Internet domain maintenance companies stealing access details. The most recent case involved over 400 domain administration usernames and passwords. Bearing in mind that these users generally manage several Internet domains, several thousand Internet domains can end up being used for purposes other than those for which they were designed.
In summary, illegal activities related to Internet fraud demonstrate new techniques. Managing Internet domains is an activity that is rarely considered necessary in terms of evaluating risk. However it is clear that the threat of theft of access details is real and requires a response.
Some safe practices to help protect against this type of threat:
• Comply with username and password policies in terms of domain management credentials (generally in external portals)
• Never use generic usernames
• Never enter access details on computers that are not totally trustworthy
• If possible use double authentication
• Use detection and theft prevention services