On TechRepublic: 3 habits of highly ineffective employees

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement
Click Here

Security Watch : Don't get burned by viruses and hackers
Phishers attack the green zones

By Robert Vamosi 
Senior editor, CNET Reviews
March 16, 2007

Safe Web-surfing tools such as McAfee SiteAdvisor and Netcraft Toolbar scan thousands of Web sites daily, pronouncing some safe, some suspicious, and some dangerous. Phishers (fraudsters, online criminals, apply your own appropriate term), tired of having their creations on a blacklist, are now circling back behind these tools and, when possible, compromising sites with a familiar hacking technique that's been known for several years to inject dangerous JavaScript on these sites previously marked as safe. The short-term result is that you unknowingly visit a compromised site and come away with a backdoor Trojan horse installed on your desktop. The long-term result is that these vandals undermine our mutual trust of the Web.

This week Trend Micro joined the party by announcing TrendProtect, a safe-surfing tool similar to McAfee SiteAdvisor. Developer Symantec has yet to announce a similar standalone safe-surfing tool. CNET Reviews recently compared a handful of safe-surfing tools, both free and paid.

The short-term result is you unknowingly visit a compromised site and come away with a backdoor Trojan horse installed on your desktop. The long-term result is that these vandals undermine our mutual trust of the Web.

Safe-surfing tools are excellent for identifying bogus banking or e-commerce sites before they load in your Internet browser. Using a complicated algorithm that measures such criteria as the validity of the domain name registration, suspiciously long URLs, foreign characters in the URL, and misspellings within the displayed page, these tools rate Web sites as either safe (green icon), suspicious (yellow icon), or dangerous (red icon) and most overlay those ratings over your search engine results.

Unknown waters
Rating unknown Web sites these days is a very good thing. This week, security vendor Fortinet released an alert stating it had discovered blogs containing malicious code on Google-owned Blogger.com that could open remote access to your PC. At first it seemed that vandals had used an old-school hacking technique called cross-site scripting to inject malicious iframe links into the displayed pages. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page. Recently, iframes have been used by criminal hackers to redirect browsers via JavaScript to malicious-code sites hosted elsewhere.

This is a potentially huge problem; phishers are attacking sites in the green zones, sites rated as safe by many safe-surfing tools.

In a statement to CNET, Google said the Blogger.com example sites cited by Fortinet appear to be "deliberately set up to promote phishing, which is against our terms of service." Indeed, in reviewing one example, a Honda CR 450 blog site, we identified numerous red flags. First, the content of the blog was incomprehensible gibberish, designed more to boost the page's search engine optimization scores on search results pages than to be read by a human being. Second, the blog was created within the last few days and not updated, nor is there much information about the person who created the page. None of these facts alone are damning, but casual or even accidental visitors to the blog could find themselves infected with a remote access Trojan horse. Google said that it is investigating these pages and concluded that "blogs found to include malicious code or promote phishing will be deleted." The Honda CR 450 blog site has been deleted.

It gets worse
But spotting a bogus blog is perhaps somewhat easier than spotting a recently compromised Web site. This week the security vendor WebSense reported on a new phishing scam in which an e-mail, in German, contained a link to a security vendor site in South Korea. So far it's a pretty traditional phishing scam, except the linked site is legitimate. CNET viewed the page with Netcraft Toolbar and SiteAdvisor enabled, and neither displayed warnings as the page loaded. But when we viewed the source code for the South Korean security vendor site, we found an iframe toward the bottom of the code that calls out for content hosted on a server in Hong Kong (now disabled). According to WebSense, the malicious content might have allowed a criminal hacker to remotely access our PC.

This is a potentially huge problem: phishers attacking sites in the green zones, site thought to be safe by many safe surfing tools. A few weeks ago I wrote about vandals compromising the Super Bowl XLI Web site in early February. The compromise was accomplished by injecting JavaScript by a cross-site scripting attack--in other words, appending a script command to the URL and having that site incorporate the attached code onto the Web server. The JavaScript used in the Super Bowl attack was also seen on several health care sites including the Center for Disease Control. In each case, the JavaScript pointed visitors to the Super Bowl or the CDC pages via iframe to malicious content hosted on a server in China. Here again, many of the safe-surfing tools continued to mark the Super Bowl XLI and CDC pages with green icons despite the compromise.

Protection?
Almost all of the exploit code identified this week used exploits for a vulnerability already patched by Microsoft in MS05-014. Apparently the phishers are going after users with lax security on their PCs. If you've been diligently patching your computer with the latest Microsoft updates, then you should be fine should you happen upon a recently compromised site. The problem is if you happen upon one site that's been infected with an exploit for an unpatched vulnerability.

We've seen only one safe-surfing tool, EPL Linkscanner Pro, that can ferret out recently added malicious content. But the free version of Linkscanner only works on Internet Explorer, and the paid Pro version doesn't do a good job of reporting obvious phishing pages (you know, the PayPal and Bank of America knockoffs). So, for the time being, you're stuck having to use SiteAdvisor, Netcraft Toolbar, or the new TrendSecure TrendProtect to find the bogus phishing sites, in addition to using Linkscanner Pro to find the malicious sites. Not a great solution, but it's about the only solution for now.

Do you worry about tripping over malicious code on "safe sites"? Should you? TalkBack to me.
Security Bites Podcast
CNET News.com's Joris Evers and CNET.com's Robert Vamosi tell you about the latest security threats, what's coming, and how to protect your system. Listen now


CNET's free newsletters
Rob Vamosi's
award-winning
column on Internet threats and how to counter them 
Delivered Mondays
Sign up now        
All free newsletters



3/9/07
Promiscuous laptops

3/2/07
Hacking with smart phones

2/16/07
Hacking the Super Bowl

More commentary



TalkBack
15 messages

Article discussion: Phishers attack the green zones

Post a comment

Latest post:

"Yes im worried!"
by winsoftwareman (See profile) - May 6, 2007 12:54 PM PDT
Phishers can and will do anything to phish us! (Read more).
Sort by: Title |
Date
| Most helpful

Do you realize

Do you realize that the extended certificate is going to be very expensive for s... (Read more)
by cannen00 (See profile) - March 22, 2007 10:51 AM PDT

phishers punishment

Rather then use the death penality, which has a long drawn out apeal process. Le... (Read more)
by larry123 (See profile) - March 20, 2007 10:29 PM PDT

Making sites safe

In addition to the steps mentioned in you article, lets all get together and cha... (Read more)
by peeskieeskie (See profile) - March 19, 2007 7:37 AM PDT

Firefox 2 and IE 7 Phishing Filters & Less is More

I think the article does a disservice to readers (as many if not most Vamosi art... (Read more)
by pmchefalo (See profile) - March 19, 2007 5:52 AM PDT
20 out of 25 users found this comment helpful | 2 comments

I wasn't worried before I read this article.

But I am now. You've pretty much convinced me not to do anything on the computer... (Read more)
by heylyn (See profile) - March 19, 2007 5:26 AM PDT
5 out of 5 users found this comment helpful | 2 comments

Green Border is the best defense for such attacks.

I think it was in one of Robert Vamosi's articles that i first heard of Green Bo... (Read more)
by OQOQOQOQ (See profile) - March 19, 2007 2:57 AM PDT
5 out of 5 users found this comment helpful | 1 comment

Hackers \Phishers are scum!!

I felt compelled to reply by discussion to your very good article on preventativ... (Read more)
by michael.redhead (See profile) - March 19, 2007 2:47 AM PDT

Get the ISPs involved

None of the third party tools will solve the problem of Phishing. It is long pas... (Read more)
by mrobinson52 (See profile) - March 19, 2007 2:32 AM PDT
1 comment
Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use