Full Disclosure mailing list archives
Is there a 0day vuln in this phisher's site?
From: <lists-security () nettracers com>
Date: Sat, 29 Jan 2005 00:14:55 -0800
I was annoyed today by a phisher impersonating my favorite bank Washington Mutual http://www.Wamu.com The phisher's site: http://220.194.228.91:87/wa/ Obviously any data collected there will be abused by the phishers...but does it pose a greater risk of being exposed to a much wider audience of crackers? Have these phishers hardened their system enough to prevent attack and maybe even the discovery of their identity? So I did a quick scan of the "collector" system 220.194.228.91 setup by the phishers and found the Asia-Pacific based system to have TCP port 87 open for web, and UDP 7- Echo and UDP 161-SNMP open. Browsing the SNMP MIBS showed me a Win2K system with a private address 192.168.0.1 sitting in WORKGROUP with a LANMAN Name ZFZ. Network card MAC addresses (VITALCOM) 00e0433a4bbd and 00e0433a4957 and MTU's of 1500. sysUpTime TimeTicks 11 hours, 3 minutes, 22 seconds. Usernames Guest and cclogin Mib Oid; Type; Value; Type #; .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT able.svUserEntry.svUserName.5.71.117.101.115.116; String; Guest; 4; .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT able.svUserEntry.svUserName.7.99.99.108.111.103.105.110; String; cclogin; 4; Also, looking at the source on the /wa/index.htm and /wa/thank.htm pages shows that they were grabbed for malicious editing on 10/4/2004 ....that is as far as I could take it tonight. Regarding the open SNMP, I have seen "a buffer overrun is present in all implementations", but do not know if the phisher's system is exploitable and have not tried any code to actually do this. Once cracked, getting information regarding all connections could lead closer to the real identity of the phishers, especially if some trojan code can be placed using an SNMP exploit. If those phishers are getting wealthy by stealing identities, it would be possible for them to be trumped by yet another crook stealing their identity/bank accounts, etc. Some questions for the inclined: 1) What information can still be gathered regarding this fake banking site using both passive probes and active exploits? 2) How long has this particular site been active? 3) Is the network range repeatedly used for malicious activity, or is this unusual activity in that network? 4) While the proliferation of these sites has caused a tremendous amount of security awareness in businesses and the public, these scams continue to trick people. How can phishers be virtually neutered? 5) When secure transactions must be done via the web, users must be verified to the secure site, but web sites are not easily verified by the average user. What foolproof device, dongle, etc. could a clueless user employ to verify a secure site? 6) Should secure sites employ steganographic watermarking to allow for forensic tracking of images served by secure sites? (do they do this already like my Minolta QMS2300DL does with those little yellow dots?) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? Paul Kurczaba (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- Re: Is there a 0day vuln in this phisher's site? morning_wood (Jan 30)
- Re: Is there a 0day vuln in this phisher's site? Andrew Clover (Jan 30)
- RE: Is there a 0day vuln in this phisher's site? Larry Seltzer (Jan 30)
- Re: Is there a 0day vuln in this phisher's site? Thierry Zoller (Jan 30)
- Re: Is there a 0day vuln in this phisher's site? Andrew Clover (Jan 30)
- RE: Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? Paul Kurczaba (Jan 29)