Archived Blog
Web 2.0 Phishing leading to Multi-vector Attacks - Part 1
02.03.2009 - 4:40 PM
During 2008, online fraudsters worldwide demonstrated their adaptability by defeating a range of email and Web filtering services offered by different security vendors. From the fraudsters' perspective, the attack strategy includes more than registering fake accounts or email addresses, sending mass emails over the Internet, infecting thousands of user machines, and stealing information. It also involves switching things up with a combination of different tactics, all with a consistent goal of targeting or reaching their prospective users over different areas of Internet.
Online fraudsters have continued to increase and expand their efforts, increasing the sophistication of their attack strategy by using Web 2.0 functionality. Their apparent goal is to expand their threatscape over various Web-based services.
In a Web 2.0 world, users are given privileges such as the ability to create content, edit HTML directly, upload files, and distribute content. Blogging, commenting, and similar methods of information exchange collectively form a significant and widely-used segment of the Web 2.0 space. This power is being abused by fraudsters to carry out user-targeting attacks that pose a direct threat to the Web 2.0 space, and also have a significant impact other Web and email-based services.
Fraudsters have been constantly improving their underground ecosystems and adopting different attack strategies to target unsuspecting users. This trend has increasingly affected various popular services provided by major players in the Internet's email, Web, and Web 2.0 arenas.
Recently, attackers have used a combination of Web 2.0 functionality and the abuse of various Web-based services to drive their attacks.
Abuse of Web 2.0 functionality (Google's Blogger Phishing)
Older attacks abuse Google's Blogger service directly, using Anti-CAPTCHA operations to create and register fake accounts that are used to carry out attacks. Such attacks have proven success, relying on the trusted reputation of Google's services. Newer attacks, however, aim to increase the lifetime and scope of the attacks. These attacks rely on the trusted reputation of different, legitimate Web-hosting service providers.
The phishers and malware authors have started phishing Google's popular Web 2.0 service Blogger. Fake blogs (blog pages) are created and published that appear identical to Google's Blogger, but are not owned or hosted by Google's services. These phishing pages are designed to appear legitimate. Most of the code is standard HTML (per Blogger styles), with stylesheet information for formatting the page and the structure. Multiple faux-Blogger phishing pages (showing attackers' customized content) are created, along with multiple spam blogs (splogs) and spam blogospheres (splogospheres). These are heavily interlinked, and hosted on various legitimate Web-hosting services.
The following screenshot shows a fake "Blogger" phishing page, consisting of a spam blog (splog) hosted by a non-Google Web-hosting service provider. The fraudsters have included references to legitimate services in their splogs and splogospheres to target unsuspecting users. These tactics are used to increase the chances of success with their attacks.
Next, a screenshot shows a fake "Blogger" phishing page showing a spam blogosphere (splogosphere), a collection of huge numbers of splogs hosted by a Web-hosting service provider.
Here, the screenshot shows multiple fake "Blogger" phishing pages, consisting of splogs hosted by different non-Google Web-hosting service providers.
This screenshot shows multiple splogs being created and massively inter-linked, forming a complex link-farm which in turn forms a massive splogosphere.
All these splogs or splogospheres are built and constantly updated to act as doorway pages with one goal: to victimize unsuspecting users by means of click-throughs, adware installations, and malware infections for stealing information.
Contd..[go to Part 2]
Security Researcher: Sumeet Prasad
