Using google-dorks, the attackers can search for frame scripts allowing the inclusion of any url. This search reveals thousands of results with too many websites vulnerable to cross-site framing:

allinurl:”url=http” “frame”

inurl:frame filetype:asp  inurl:”url=”
inurl:frame filetype:aspx inurl:”url=”
inurl:frame filetype:php  inurl:”url=”
inurl:frame filetype:cfm  inurl:”url=”

inurl:iframe filetype:asp  inurl:”url=”
inurl:iframe filetype:aspx inurl:”url=”
inurl:iframe filetype:php  inurl:”url=”
inurl:iframe filetype:cfm  inurl:”url=”

allinurl:http frame.asp
allinurl:http frame.aspx
allinurl:http frame.php
allinurl:http frame.cfm

allinurl:frame.php?url=http
allinurl:frame.asp?url=http

Phishing and other scams are now easier to perform due to cross-site framing.
Having found such frame scripts, allows the attackers to include a webpage which is hosted somewhere else. This webpage can be designed to look like the original website and can be any cross-platform server-side script. It can contain a fake login form which on submit parses the inputted usernames and passwords and sends them to the attacker’s mailbox in cleartext format.

It is also possible to perform XSS attacks as in most cases there is no filtering of special characters, script or other common tags in the URL parameter.

Daniel Hugh mailed us about a cross-site framing and scripting vulnerability affecting Gov.MT (Official website of the Government of Malta):

Gov.MT with Frame Redirect and XSS

The XSS vulnerabilities affecting websites can also be used to perform frame redirects, but not the contrary. So if you submit a website vulnerable to cross-site framing along with a XSS attack vector, we will publish it as XSS.

The above news were written in order to heighten the awareness of potential privacy threats to users of the web.

You can also access this blog post  from XSSed.com – a project I run with Kevin Fernandez.

Here is the link:

http://www.xssed.com/news/26/Cross-site_framed/

XSSed.com is also an attempt to spread education and awareness about XSS to IT professionals and amateurs involved or interested in secure web application development.

The project is run by Kevin Fernandez and Dimitris Pagkalos.
There are still a lot of improvements in the TODO list including the ones listed below:
-RSS feeds.
-Search filters.
-More statistics.
-Submit POST data in the submission page.
-Add public and protected informations with the submitted XSS (more details will soon be available).
-Additional informations will be published on the mirror page (for instance the use of a specific browser to reproduce the vulnerability).

Submitting XSS vulnerable websites, should not be seen as a game for getting the lead in total submissions. Nevertheless we encourage you to submit XSS vulnerable websites for the greater good of a secure web. As RSnake commented on his blog post about XSSed.com, “It’s not who finds the most, it’s about the ease of finding them, the difficulty in stopping them, the various vectors, etc…”. We seriously take in consideration such comments and suggestions for improvements by people with significant experience and expertise in the web application security field.

We call for papers and video tutorials that focus on exploiting XSS vulnerabilities and on preventing them.

Since the launch of XSSed.com, we received many notifications of high-profiled websites that got XSS’ed.

Here is a list of notable XSS’ed websites in the archive:

hushmail.com
youtube.com
members.microsoft.com
netscape.com
*.search.yahoo.com
my.screenname.aol.com
my.imageshack.us
register.go.com
cafepress.com
thawte.com
verisign.com
zonelabs.com
www4.symantec.com
domaintools.com
controlpanel.netfirms.com
2600.com
sun.com
*.globo.com – Famous portal in Brazil
*.mynet.com – Famous portal in Turkey
login.pathfinder.gr – Famous portal in Greece

plus many other “special” websites, including governmental and military…

So far we have had visitors and submitters from – in order of number of visits – Turkey, Italy, United Kingdom, United States, Brazil, France, Russia, Germany, Czech Republic and Pakistan. We would like to thank you for supporting our project.

The XSS attack vectors used on the archived websites, were from RSnake’s XSS cheat sheet.

Zone-H.org has listed the following reasons in the “Attacks Notification” page:

- As a challenge
- Heh…just for fun!
- I just want to be the best defacer
- Not available
- Patriotism
- Political reasons
- Revenge against that website

Here is a list of notable hand picked defacements – archived in Zone-H.org:

US Governmental:

http://dbreports.lanl.gov Win 2003
http://learnlinc.oph.dhh.louisiana.gov Win 2000
http://elbertcounty-co.gov/events.asp Win 2000
http://gis.sedgwick.gov Win 2003
http://gis2.sedgwick.gov Win 2003
http://azdps.gov/inf4z.htm Win 2000
http://csdr-cde.ca.gov/nhst.htm Win 2003
http://join.cio.ca.gov/data/d7j.htm FreeBSD

http://appointments.ca.gov/3D.htm

Famous dot-coms:

http://flightpak.paramount.com Win 2000
http://vassiebel.volvo.com Win 2003
http://ecommercesuite.usbank.com Win 2003
http://panasonickorea.com Linux
http://beta.cmt.msn.com Win 2003

Famous dot-nets:

http://self.wind.it.net/ownz.htm SolarisSunOS
http://korea.net Win 2000

Most defacers of the above websites originate from Turkey, Brazil and Iran.

The sysadmins of insecure webservers and the developers of insecure web applications are mostly responsible for the cracking incidents. It appears to me that the crackers don’t have a specific target.

What they do most of the times, is to use a Netcraft and a Google website list generator. After they import the list into a scanner and scan thousands of websites for possible SQL injections, PHP inclusions, directory traversals, information leaks and other security vulnerabilities. There have been many cases of crackers using social engineering techniques, such as pretexting and phishing, in order to grant access priviledges to confidential information.

Screenshot of a Turkish Googler generating a list of *.gov/s (Click on thumbnail to view it):

With a no-hat approach, and only for educational purposes, we will receive notifications of websites, web-based services and software applications that have been “XSSed“. When a cross-site scripting vulnerability is submitted – URL poisoning, frame injection and other vulnerabilities that can be exploited against users are also allowed – it will be saved automatically in the on-hold archive until review by our staff.

We classify the archived attacks into special (high-profiled) and not special. You can also view what was their unique Alexa pagerank at the time of submission.

Note: Script insertion vulnerabilities, which can lead to cross-site scripting, can also be used to damage a site by blocking its visual access. Please note that this could represent a crime in many countries and we do not support this action.

The goals of XSSed.com, are to provide helpful information resources on cross-site scripting (XSS) attacks and vulnerabilities, and to archive XSS vulnerable websites for statistic purposes. It is an attempt to spread education and awareness about XSS to IT professionals and amateurs interested in secure web application development.

No. I am not a defacer psychologist. I am just expressing my personal opinion on the matter, which is this: If a website defacement doesn’t convey a meaningful message, then it is done for selfish reasons.

A bit of an embarassment for Microsoft’s sysadmins…

The cracker exploited an SQL injection vulnerability in the story.asp file and thus was able to deface the following websites:

http://whatinvestment.money.msn.co.uk Win 2003
http://personalfinance.money.msn.co.uk Win 2003

Screenshot of the defaced website (Click thumbnail to view it):

The most surprising thing – actually not very suprising, judging from past cracking incidents of Microsoft’s systems – is that the website remained defaced for more than 8 hours and the SQL injection vulnerability has not been fixed yet.

Screenshot (Click thumbnail to view it):

You can view the above website defacements and 2.092.360 – as for today at 23:00 GMT – archived digital attacks at Zone-H.org.

“XTech Inc Onwed the Music Industry… and the rest of it ”

Apparently it was hosted in the same webserver with other official german websites of Sony BMG entertainment.

The attackers exploited a web application vulnerability – probably php inclusion – in order to get access to the Solaris 9/10 webserver.

The most probable attack scenario was this: Initially a backdoor through a php shell script was run, then shell access through a terminal to the attackers specified port was aquired. Having done this, if a local root exploit is successful, then the attackers have complete access to the webserver, leaving it vulnerable to other cracking teams, usually for a short time span.

Screenshot of the deface (Click thumbnail to view it):

Here is the list of all the affected websites, along with the OS that they run:

http://britneyspears.de SolarisSunOS
http://stuff.sonybmg.de SolarisSunOS
http://dms.sonybmg.de SolarisSunOS
http://stats.bmg.de SolarisSunOS
http://forum.bmg.de SolarisSunOS
http://research.sonybmg.de SolarisSunOS
http://live.bmg.de SolarisSunOS
http://mediaplayer.sonybmg.de SolarisSunOS

All of the above defacements are archived at Zone-H.org.

It seems to me that this group was very organised. They were providing how-to articles on carding, proxies and online payment processors. They were also selling laptops, mobile phones and cameras, which were bought with stolen/phished credit cards. They were even selling the software and equipment required to copy full details of stolen/phished credit cards into blank cards, in order to be able to cash-out from an ATM the money in the bank accounts.

Screenshot of Google results for “carders online”:

At the bottom of their website, they provided a form which was allowing potential buyers to pay them via E-gold for their illegal services… Their E-gold account seems suspended.

I recommend downloading and installing the Netcraft Anti-Phishing Toobar, which allows you to report a phishing site. You can also report phishing sites by adding the form to your Google personalized homepage.

The form looks like this:

The following is the F.A.Q which was shown on their homepage:

Note: Reading this F.A.Q can help you to better understand how to become more vigilant on protecting your sensitive personal information and banking details from being scammed online with phishing and other techniques. You will never be asked by genuine internet services for your PIN number, SSN and other very sensitive personal information!

F.A.Q.

Q: What will I get?
A: – 20 virgin Credit Cards with full information: Credit Cards number (Master Card, VISA, Amex), expiration date, CVV2/CVC2 digits, card holders name, residing address, state, country, zip code, telephone, DOB (date of birth), SSN (social security number), drivers license number, e-mail, pin code and more.

Q: What is the format of CC you provide?
A: – Format as fallows:

—————————-
Name:
Address:
State:
Zip:
Country:
Home Phone:
E-mail:
Date Of Birth:
Social Security Number:
Mothers Maiden Name:
Drivers License Number:
Drivers License State:
Secret Question:
Secret Question Answer:
Name On Card:
Credit Card Number:
Credit Card Brand:
Credit Card Type:
EXP Date:
Credit Card PIN Number:
CVC2:
—————————-

Q: How will I get it?
A: – You will receive CCs list via e-mail as an attachment |full_info_list.zip| in 24h.

Q: Where do you get full infos?
A: – We get it from various places. Mainly from scamming, spamming and shopadmins.

Q: What does it mean ‘virgin’ credit card?
A: – Virgin means – not used or reselled.

Q: What country CC’s do you have?
A: – United States (US US flag), United Kingdom (UK UK flag), Germany (DE German flag), Ireland (IE Ireland flag), Canada (CA Canadian flag), Australia (AU Australian flag), France (FR French flag).

Q: What is your replace policy?
A: – Declined credit cards are replaced with a new one. We take no responsibility for credit cards validaty after one week.

Q: How can I pay for it?
A: – All you need to make is a small contribution of 50€ worth of gold to e-gold account nr: 3260200. You will get 20 FULL INFOS, 2.5€ each. (We use http://www.e-gold.com ONLY for good anonymity. Open an account for free here).

Q: Do you offer any discounts?
A: – Yes, we offer a discount for serious buyers who buys more than 40 ccs. The price falls to 2€/’Full Info’.

Q: How can I fund my e-gold account?
A: – You should use an exchanger generally. You can fund your account using mailed payments, bank wires, cash deposits, western union, moneygram, credit card, netpay and etc. A list of exchangers you can find here: http://www.golddirectory.com/exchangers.html

Q: What if I have a question?
A: – Do not hesitate to contact us Weandydeal@yahoo.com

Before asking a question: We do not accept western union, paypal, webmoney, wire transfers and etc., E-GOLD ONLY. We do not give free samples for testing or checking, serious buyers only.

What seems obvious to me – after viewing most of those defacements on the Zone-H digital attacks archive – is that their motives are not fully justified. Most of these crackers – better say “script kiddies” – are using publicly available exploits for known vulnerabilities, and by applying logic on how to use them, they succeed in the end at gaining access on webservers.

The fact that the attacked webservers belong to the US government, doesn’t necessarily mean that there is adequate security implemented.

Apart from the little warning/disclaimer that they put on their websites as a scare tactic for crackers, there is very little done on tracing and catching the crackers who successfully broke into their webservers. Setting up honeypots on their systems in order to track the techniques and methodologies which are used by crackers, is certainly helpful knowledgewise.

In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them, defacing is more like a game. The messages shown in their defacements, are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.

Below is the list of all the *.gov websites that were defaced in the past 27 days, along with the OS that they run:

(Visit Zone-H.org to view the defacements)

https://www.cahps.ahrq.gov/content/cahpsOverview/faqanswer.asp Win 2000
http://learnabouteva.dgs.virginia.gov/FAQ Win 2003
http://mail.vi.gov/ibh.html Win 2003
http://webmail.vi.gov/index.html Win 2003
http://nd.gov/ndins/communications Linux
http://hca.montgomerycountymd.gov/govtmpl.asp Win 2000
http://fairfaxva.gov/personnel/Jobs.asp Win 2003
http://cstx.gov/home/index.asp Win 2000
https://ssl.cstx.gov/csjobs/job_list.asp Win 2000
http://oss.monroecounty-fl.gov/1923tg.htm Win 2000
http://asc.gov/default.aspx Win 2003
http://eppcapps.ky.gov/earthday/ideas.aspx Win 2003
http://tncarefraud.tennessee.gov/newsAndInfo.aspx Win 2003
http://floydcounty.in.gov Win 2000
http://radsite.lbl.gov/testhost.htm FreeBSD
http://hobbes.lbl.gov/ibh.htm FreeBSD
http://floyd.lbl.gov/ibh.htm FreeBSD
http://archivesindex.sc.gov Win 2000
https://fortress.wa.gov/dshs/f2ws03esaapps/stars/newsarchive.asp FreeBSD

What follows is my brief personal view on this subject.

Such attacks should have been considered illegal for over 10 years now because they cause significant financial losses to businesses as they affect the availability of data and services – A very unethical thing to do…

Causing many problems for all the parties involved in the supply chain…

The end responsibility obviously resides with the attacker, but businesses and individuals are also responsible for not doing anything or very little to prevent such attacks, which are persistent and constantly evolving in increasing frequency and complexity.

Other than education for awareness on DoS/DDoS attacks, I believe that effective prevention techniques and adequate security management is the goal businesses should aim towards. The reason for striving for this goal is to protect their digital assets as well as the flow of information critical to their successful operation.

There are several companies worldwide that provide cutting edge solutions which can protect your enterprise network from this type of attacks and thus allow the constant and secure flow of information.

I will list 2 or 3 here:

Prolexic Technologies – www.prolexic.com

Callaway Alliance – www.ddosprotection.com

Cisco… and many other… Just google it! Keyword: “ddos protection”

The other problem is that DoS/DDoS attacking tools and exploits are publicly disclosed on the internet… This means people relatively unskilled in computer knowledge can cause large amount of damage by simply running a DoS/DDoS exploit against an online target.

The new law decreases the frequency of such attacks but doesn’t stop them…

Food for thought…. I would be happy to know YOUR opinions on this subject.

Read more on this recent law:

http://news.com.com/2100-7348_3-6134472.html

Microsoft is also the operating system (OS) market dominator, meaning that is the main target for crimeware/malware writers – responsible for a very big percent of worldwide cyber-crimes.

Which OS do you prefer for more security? Linux,Windows or any other? Of course, in my view, falling or not a victim of a security exploit depends on the crucial factor of how well you manage the security the OS, services, applications and devices connected to the internet. With a few words: the overall security of your system. It also depends on how efficient and effective are your security vulnerabilities patch management skills.

Do you agree?

[1] http://news.bbc.co.uk/1/hi/business/4831374.stm – Microsoft delays launch of Vista