Saturday, December 5, 2009

Architecture of the Scheme

Two critical pieces of information were targeted in this scheme: the authentication credentials (i.e., username and password) and the user's credit card information. Figure 1 shows the critical steps of the scheme from beginning to end.

eBay

Attacker's Email

Attacker's Web

Victim

Attacker sends request to eBay for source eBay web server gives source Attacker pulls additional source from eBay eBay web server gives source ''Please resubmit credit card'' Mail client requests real eBay images eBay web site delivers images as requested Victim clicks on a link, thinking it is to eBay Attacker's web site display, looks like eBay User puts in username and password Attacker accepts password, asks for credit card User uploads credit card information Attacker thanks victim for the ''update''

Figure 1: Interaction Diagram Showing Scheme

Each of the thirteen steps identified here supports one of three goals needed for the thief to achieve his objective. Those goals are creation of the fraudulent eBay site, directing users to the fraudulent site, and then operating the fraudulent site such that users never suspect what has happened.

2.1 Creating Fraudulent eBay Site

Creation of the fraudulent site is obviously necessary for this scheme so that users will be inclined to enter sensitive authentication and financial information.

Step 1. To build the fraudulent web site, the attacker simply sends requests to eBay for the HTML markup and images needed to render critical pages of the eBay site. Because the Web works by having clients (such as Mozilla or Internet Explorer) download HTML from the server and then display the results to the user, there is no way for eBay to stop users from downloading its source. In fact, easy replicability of content from one Web site to another is a critical feature of the Web.

Instructing the eBay site to send a copy of the source is as simple as having the attacker point his browser to http://www.ebay.com/.

Step 2. The eBay site responds to the request from the client, sending down the HTML source for the requested page. Capturing this information, instead of using it strictly for display on the attacker's monitor is as simple as using the "Save As" menu option in the browser.

The attacker now has the source code needed to replicate the "look and feel" of the eBay site on any server of his choosing. With some minor modifications to the code, the results of forms can be sent to new programs that reside on the attacker's computer, instead of the legitimate form processing software on the real eBay web site.

Step 3. Additional data might be needed to fetch things like images from the eBay web site, or to see what email from eBay actually looks like.

Step 4. eBay will naturally respond to the attacker's requests—which all by them­selves are quite legitimate. It's important to understand that from eBay's perspec­tive, no fraudulent activity has (yet) taken place.

Unbeknownst to eBay, however, the attacker has not been simply displaying the data he has downloaded. He has created a new site of his own, using the HTML and images from eBay, with modifications to ensure that the data submitted by the user will be collected by the attacker's site instead of submitted to the legitimate eBay web site.

Once the site is finished, it is put online, where it will await users who submit their information to it.

2.2 Directing Users to the Fraudulent Site

Step 5. eBay users now need to be convinced to connect to the fraudulent web site. The means for doing that is by sending an email message, crafted using eBay's look and feel, even including an image of the eBay logo. The text of the message is reproduced precisely in Figure 2.

With the exception of the truncated copyright notice, there seems to be very little indication of anything being amiss. Indeed, to non-experts, the reason given for having deleted the credit card information might even sound plausible.

Step 6. Mail client requests real eBay images. As the user's email client renders the fraudulent message, it will obey the HTML directive to fetch the eBay logo image from the legitimate eBay web site. A careful user might even be inclined to note the source of the eBay logo, which would tend to support the conclusion that the message itself is legitimate.

Step 7. eBay returns real images to client for display in the fraudulent email. Thus, the HTML is stolen from eBay and modified, sent by an attacker, the images come directly from eBay, and the link will connect the user not to the real eBay, but to the fraudulent Web site.

Recently we attempted to authorize payment from your credit card we have on file for you, but it was declined.

For security purposes, our system automatically removes credit card information from an account when there is a problem or the card expires.

Please resubmit the credit card, and provide us with new and complete information. To resubmit credit card information via our secure server, click the following link:

http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn

This is the quickest and easiest method of getting credit card informa­tion to us. Using the secure server will ensure that the credit card will be placed on account within 24 hours.

Copyright 1995-2003 Ebay Inc.

All Rights Reserved. Designated trademarks and brands are the property of their respective

Figure 2: Text of Message Bringing Users to Fraudulent Site

2.3 Fraudulent Site Operation

Step 8. Victim clicks on the link, requesting source from attacker's Web server. Interestingly, the link that is displayed to the user[1] is not the actual URI of the link.

Careful examination of the email's HTML source will show the actual link. Fig­ure 3 shows the HTML source of the paragraph and the link itself.

Please resubmit the credit card, and provide us with new and complete information. To resubmit credit card information via our secure server, click the following link:





http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn




Figure 3: HTML Source of Fraudulent Email Message

The URI is very carefully constructed to appear to be legitimate but to redirect to the fraudulent Web site. Here we break the URI into its parts.

http:// This is the protocol identifier, and the separator characters showing an

external link. The protocol in this case is HTTP, unencrypted. (A typical unsecured web link.)

cgi3.ebay.com: This is an optional section of a URI, reserved for the name of the user logging in, and the separator token (:) used to differentiate it from the next section.

aw-cgieBayISAPI.dllSignInRegisterEnterInfo&siteid=0co_partnerid=2@

This tricky section is obviously constructed to appear to be linking deep down into the eBay web site, but in reality is being put into the optional password field of the URI. The giveaway is the @ character at the end, which means that what proceeded it is user and/or password data.

www.john33.netfirms.com/ The real site name to which the client will connect.

Step 9. Attacker's Web server answers the client's request, sending back the fraudulent HTML for the user's browser to display.

At this point, the user believes that he is following a legitimate link to the eBay web site. What the user sees instead is the illegitimate copy of the eBay web site created in steps one through four.

Step 10. Thinking he is seeing the real eBay web site, the user enters his username and password, sending them to the thieves running the fraudulent site.

Step 11. Fraudulent web site saves the username and password (thus allowing the attacker to login to the user's account on the real eBay site), and displays a page that asks the user to enter his credit card information again.

Note that no matter what the user enters, the fraudulent site will behave as if the username and password were entered correctly. This reinforces the idea to the user that the site is the correct one: when the user enters the right authentication credentials, the site accepts them, and only the user and eBay's server should know what those credentials are.

Step 12. User enters his credit card information and hits submit, sending the credit card information not to eBay, but the fraudulent site.

Note that because the site is not using cryptographic methods for authentication or session confidentiality, the credit card is also exposed to eavesdroppers.

Step 13. Fraudulent site sends back a "thank you" page, promising to update the eBay account within twenty-four hours.

At the end of the session, the user believes that he has updated his eBay account, and the attacker has collected the username, password, and credit card information of eBay users who fell for the scam.

No comments:

Post a Comment