07 Sep Twitter XSS in the wild
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Earlier today, Softpedia reported that an Algerian hacker using the nickname MCA-CRB has managed to deface the Romanian sites of Google (google.ro) and Yahoo! (yahoo.ro).
When we found out about this incident we were pretty skeptical of these websites being hacked. A website as large as Google can be hacked, in theory, but it’s highly unlikely. We then noticed that both domains resolve to an IP address located in the Netherlands: 22.214.171.124 (server1.joomlapartner.nl) – so it rather looks like a DNS poisoning attack.
The question which remains unanswered up until now is where exactly the DNS spoofing/poisoning attack has happened.There are several possible scenarios here:
Several Eastern European banks have started notifying their customers in the beginning of last week that their cards have been blocked and will be replaced with new ones. Most of the banks did not give out any more details about what happened, and in many cases even failed to notify their customers prior to actually blocking their cards. Is it just another day in the payment processing business? Based on the rushed response from banks and the lack of information surrounding the case, I would say no.
It all started one week ago after the state-owned Romanian bank CEC Bank blocked ~17,000 cards in response to a security breach at one of VISA’s European payment processor.
The reaction of other banks followed soon. The Romanian branch of ING Bank also confirmed to have blocked compromised cards, but didn’t put out a number. They say they’ve only blocked a few cards, but are closely monitoring the situation.
A few days later, Serbian banks also started blocking thousands of cards for security reasons. Raiffeisen Bank, Komercijalna and Societe Generale confirm they have been informed by VISA about some of their customer’s cards being compromised. Very similar to what happened in Romania.
Rumors indicate the European branch of an electronic payment services provider, Euronet Worlwide, to be the source of this breach. This information has been going around Romanian business media (1, 2) – and though it hasn’t been confirmed officially, it would explain why customers from different banks in different countries were affected.
It’s very hard to assess the severity of this security breach, as the banks’ reaction to these events was very mixed. Some banks proceeded immediately to blocking and replacing all affected cads, while others decided to monitor the situation more closely.
Currently, it’s very hard to get a full picture of what is going on, but as it usually happens, these are unlikely to be isolated incidents. Actually, these stories could be just the tip of the iceberg. If you have recently received such a notification from your bank, we’d like to hear from you, especially if it’s outside Serbia and Romania.
Meanwhile, make sure to follow these 3 basic steps to make sure you don’t become a victim of credit card fraud:
Last, but not least, we know it’s the holiday season and shopping is on everyone’s mind. So if you want to keep your money safe when doing online shopping, this insightful article we’ve put together is for you: Online shopping made safe and convenient.
What a coincidence! The same day I start tumblring, Tumblr users get hit by what seems to be one of the most publicized phishing attacks the social network has seen so far.
Yet another phishing attack has resulted in thousands of accounts being compromised. Nothing new here. Phishing is a game of numbers – so even though many users are aware of this threat, there still are some of them who fall victim to this old social engineering trick. Therefore, even with just a low efficiency rate in terms of percentage, thousands of accounts can still be easily compromised by cybercriminals if the phishing page is seen by enough people.
So – for those of you out there who still don’t know the basics of avoiding becoming a victim of phishing attack, here are a couple of tips:
Over the weekend, a lot of Facebook users started receiving malicious chat messages from their friends that looked like this:
“Father crashes and dies because of THIS message posted on his daughters profile wall!” - followed by a shortened URL (using the bit.ly URL shortening services). The missing apostrophe in the word "daughter's" - i.e. "daughter's profile wall" – could be a clue that the message is not genuine, or at least that the author is not a native English speaker, but let’s take a look at what would happen to a user who falls for this social engineering trick.
A new Twitter XSS exploit was identified in the wild as it started to be used by cybercriminals overnight.
But how many people clicked the link? The bit.ly statistics for one of the malicious links are more than worrying, showing an alarming number: more than 100.000.
All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil. Last, but not least, just take a look at the tweet used in distributing this malicious payload:
Pe Lanza da banda Restart sofre acidente tragico - it's a short tweet in Portugese about the Brazilian pop band Restart suffering a "tragic accident". I'd say there's not much doubt about the origins of this attack.
We've added detection for the malicious scripts as Exploit.JS.Twetti.a and also made sure the URLs used in this attack are blacklisted. We are currently working on taking down the malicious URLs and minimizing the damage as much as possible. Twitter along with other significant industry peers have of course been notified.
UPDATE: Twitter has confirmed the vulnerability is fixed now.
In a long overdue move, Twitter turned off basic authentication for third-party applications, while enforcing OAuth for all apps. This is a move that should be applauded by anyone concerned about the security of their Twitter account.
This latest move covers a potential vulnerability in the process of giving read/write access to third-party applications, which could lead to a Twitter account being compromised. Well, not anymore. You don't need to give your username and password to third-party developers anymore if you want to use their application on your Twitter account.
Being always concerned about security, I salute Twitter's move to enforce OAuth. This lets me use an application without having to share my Twitter username and password with an unknown entity. Also, hats off to all developers that updated their applications in time and made this change as seamless as possible for the majority of users.
However, keep in mind that OAuth doesn't protect against local attacks - stealing passwords straight from the users' machines. Make sure you use a clean computer when you log-in to Twitter. Also, for more tips on staying safe, I invite you to read my quick How to Avoid Getting Your Twitter Account Hacked guide on Threatpost.
As each day goes by, I see more and more people complaining when it comes to Facebook and privacy:
I’d like to make my friend list private. Cannot.
I’d like to have my profile visible only to my friends, not my boss. Cannot.
I’d like to support an anti-abortion group without my mother or the world knowing. Cannot.
And these are things that get shared while Facebook is being conscious and while their users have previously agreed to this.
It gets even worse. Let's think of all the information that can get leaked without anybody wanting it, neither Facebook, neither the users. Let's take a look at the latest publicly disclosed Facebook vulnerability. Yes, livechat sessions potentially exposed to attackers. Friend lists and other personal data that could get compromised. Pretty bad.
You're not under control, no matter how much you would like to be. Try to imagine for a moment that everything would be perfect. Facebook would have 100% accurate and customizable privacy controls and only your few really good friends will be able to access your phone number or the pictures of how you got drunk during last night's party. Also, the social networking platform itself would be technically flawless, with absolutely no vulnerabilities. I know, it's an utopia, but we have to push things to the extreme. Even in this heavenly world where everything is perfect, imagine one of your trusted Facebook friends gets infected and his account gets compromised. From this point, everything that you carefully shared previously can potentially reach any audience. And it's not even your fault.
The solution is simple. Just delete your account. Problem solved. Simple, huh? Yes, but let's face it, we're not going to do this anytime soon. We'll continue to complain, only to go back home and log-in to Facebook once again.
I propose something different. And I'm always giving this advice to anyone who asks me about privacy and social networks: as long as you have a social networking account, make sure you behave thinking that sooner or later, the things you do online can be seen by anyone. Expect the best, but think of the worst. Don't upload a picture, don't post a link or a comment unless you are prepared to take responsibility for your actions. I know it might be hard to decide, but if in doubt, just don't do it. Don't do it unless it's something that you're ready to share with any person from your past, present or future life. Be honest to yourself first and you won't have any problems. I think it's common sense.
While I was reading the Wired article on how Alberto Gonzalez, the TJX hacker who caused $171.5 million in losses, was sentenced to 20 years in prison, I came across an interesting black SEO campaign that distributes fake AVs through Google.
Here's how the Google SERP looked like after my innocent search for this hot topic:
As you can see, some odd looking links are among the first results. And those links appeared very recently in the Google results page, within the last hour to be more specific. Still, the link that showed up just "9 minutes ago" is actually the second result in the Google ranking, right after the Wired article. Makes you think of how hard the cybercriminals are working to bypass Google's algorithms, eh?
As I was saying in yesterday's blog post, we were expecting the number of Koobface C&C servers to start growing sometime this week:
"Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week."
And, guess what? Yesterday evening the Koobface gang started adding new
The total number of active Koobface C&C servers went from a low of 65 yesterday to over 200 at the time of writing – 225, to be precise. This is the most Koobface C&C servers we've ever seen in a 24-hour period, and we keep discovering new ones.
We've already started contacting the owners of the compromised websites to get the C&C servers taken down and cleaned up as quickly as possible.
Two weeks ago we recorded a surge in Koobface, the highly prolific worm infecting social networking sites. It targets sites such as Facebook and Twitter and uses compromised legitimate websites as proxies for its main command and control server.
From the beginning of March the live Koobface C&C servers, which are used to send out commands and updates to all the computers infected by the worm, were shut down or cleaned on average three times per day.
The number of C&C servers dropped steadily from 107 on February 25, to as low as 71 on March 8. Then, in just 48 hours, the number doubled. As you can see in the graph, 10 March was the peak, with 142 active Koobface C&C servers. After that, the number started to drop constantly. We witnessed an average of 5 servers being taken down every day.
Right now, the number is just below 70, the lowest it has been in over a month.
Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week.
We will continue to monitor the situation and let you know if there are any important developments.
Kaspersky Lab would like to provide a few tips for users:
Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Koobface.