Latest Web Hacking Incident Database (WHID) Entries

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project.

WHID 2011-89: China Implicated In Hacking Of SMB Online Bank Accounts

Entry Title: WHID 2011-89: China Implicated In Hacking Of SMB Online Bank Accounts
WHID ID: 2011-89
Date Occurred: April 26, 2011
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description: This time it wasn't an "advanced persistent threat" that China was associated with: a fraud alert issued by the FBI today implicates China in a cybercrime operation that bilked U.S.-based small- to midsize businesses of $11 million over the past year.
Mass Attack: Yes
Number of Sites Affected: 20
Reference: http://www.informationweek.com/news/security/vulnerabilities/229402300
Attack Source Geography: China
Additional Link: http://www.ic3.gov/media/2011/ChinaWireTransferFraudAlert.pdf

SpiderLabs Research Analysis

This story highlights the continued threat of Banking Trojans, such as Zeus and SpyEye, and how Banks need to develop more Fraud Detection capabilities in order to identify these types of attacks and prevent monetary loss. There are two distinct Banking Trojan attack scenarios -
  1. When a banking trojan steals a victim's login credentials and then the criminal uses that data to log into the application themselves to transfer funds. In this scenario – the underlying application weakness is Insufficient Authentication as these sites are typically not using Two-Factor auth which allows a criminal to login with only username/password data stolen by the Banking Trojan. From a Fraud perspective, these types of attacks should be identified by Geo IP variances during a live session.
  2. When a banking trojan passively waits for a victim to login and then submits a transfer request while piggy-backing on the existing transaction. This application weakness is Insufficient Process Validation as the transfer request usually does not follow the proper process flow and should be identified by Fruad systems as suspicious.
SpiderLabs recently outlined how Geo IP data can be used within ModSecurity to contribute to potential Fraud Anomaly Score.

WHID 2011-88: Yahoo! PH Purple Hunt 2.0 Ad Compromised

Entry Title: WHID 2011-88: Yahoo! PH Purple Hunt 2.0 Ad Compromised
WHID ID: 2011-88
Date Occurred: April 24, 2011
Attack Method: Malvertising
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Search Engine
Attacked Entity Geography: USA
Incident Description: Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention. Curious, I clicked the ad and found my browser downloading a suspicious file named com.com.
Mass Attack: No
Reference: http://blog.trendmicro.com/yahoo-ph-purple-hunt-2-0-ad-compromised/
Attack Source Geography:

SpiderLabs Research Analysis

Planting of Malware links onto legitimate websites is a huge problem. This is especially challening for sites that leverage banner ad/affiliate networks as they lose some control over the integrity of the data that will be presenting within the context of their site. Organizations must implement some type of analysis of outbound data to ensure that they are not including malicious links within their content being sent to their users. SpiderLabs Research discussed how ModSecurity can use its new Google Safe Browsing API to both identify and clean malware links within response pages.

WHID 2011-87: PSN Admin Dev Accounts Got Hacked

Entry Title: WHID 2011-87: PSN Admin Dev Accounts Got Hacked
WHID ID: 2011-87
Date Occurred: April 24, 2011
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Account Takeover
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: Sony's PlayStation Network has been down since Wednesday and stayed kaput throughout the weekend. Sony has admitted that the outage was due to their network being hacked but has not given any further details. But now, a source closely connected with Sony Computer Entertainment Europe (SCEE) reports that the attack is much deeper than admitted by Sony. The source claims that the PSN sustained a LOIC attack (which created a denial-of-service attack) that damaged the server. Plus, it received concentrated attacks on the servers holding account information and breached the Admin Dev accounts.
Mass Attack: No
Reference: http://www.slashgear.com/psn-admin-dev-accounts-got-hacked-source-claims-service-to-return-by-tuesday-24148081/
Attack Source Geography:

SpiderLabs Research Analysis

This entry made it into WHID because of the outcome - data leakage of personal information. There is still much speculation as to the exact attack vectors used within the attack. The safe bet is that there were multiple vulnerablities that were exploited to dig deeper and deeper into the PSN developer network. This entry is labled as Brute Force solely becasue the new report stated that devleoper accounts were compromised.

WHID 2011-86: Cybercrime Extracts $399,000 from Florida Dentist's Account

Entry Title: WHID 2011-86: Cybercrime Extracts $399,000 from Florida Dentist's Account
WHID ID: 2011-86
Date Occurred: April 25, 2011
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Online Trading
Attacked Entity Geography:
Incident Description: "Before the cybercriminals launched their TDoS attack, they found a way to obtain Dr. Thousand's Ameritrade account information and password. Victims in these cases are often targeted through phishing attempts or by clicking an innocuous-looking email link that downloads malware to their system. In this manner, criminals are able to capture account details, passwords and other personal information. Once they have access to an account, they can then change the contact numbers and impersonate the victim when communicating with the bank or broker."
Mass Attack: No
Reference: http://www.prweb.com/releases/2011/4/prweb8338409.htm
Attack Source Geography: USA

SpiderLabs Research Analysis

Another Banking Trojan incident... This time, however, the web application that was exploited was not a Bank but rather an online trading site (TD Ameritrade). The victim's computer was infected with the malware and then it was able to conduct fraudulent trades. What is an interesting twist in the attack scenario is that TD Ameritrade has a mechanism in place to validate suspicious trades - they would initiate phone calls to the customer to confirm the trades. So, what did the attackers do? They conducted DDoS attacks targeting the victim's telephone. The fatal flaw in this trading site's mechanism was that is was a "fail open" policy and if they could not get through to the customer, they allowed the transactions...

WHID 2011-85: IIM-B website hacked

Entry Title: WHID 2011-85: IIM-B website hacked
WHID ID: 2011-85
Date Occurred: April 25, 2011
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Link Spam
Attacked Entity Field: Education
Attacked Entity Geography: New Delhi, India
Incident Description: NEW DELHI: The website of the Indian Institute of Management-Bangalore has been hijacked by hackers peddling erectile dysfunction products like Viagra. The website, www.iimb.ernet.in, has been out of service for at least ten days.
Mass Attack: No
Reference: http://timesofindia.indiatimes.com/tech/news/internet/IIM-B-website-hacked/articleshow/8080736.cms??prtpage=1
Attack Source Geography:

SpiderLabs Research Analysis

Similar to planting of malware links, in this case, the attackers are able to inject SPAM messages and links. While this is less severe then actual malware links that conduct "Drive-by-Downloads" of browser exploits, it is still disconcerting. Web site owners need to conduct ongoing analysis of their sites in order to assure the integrity of the data they are presenting to users.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.