Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 12 February 2008
Occurred: 10 February 2008

Classifications:

Attack Method: Cross Site Request Forgery (CSRF)
Country: Korea
Origin: China
Outcome: Downtime
Outcome: Leakage of Information
Vertical: Retail

A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

References:

WHID 2008-05: Drive-by Pharming in the Wild

Reported: 28 January 2008
Occurred: 21 January 2008

Classifications:

Attack Method: Known Vulnerability
Attack Method: Drive by Pharming
Attack Method: Cross Site Request Forgery (CSRF)
Country: Mexico
Location: Client
Outcome: Leakage of Information
Outcome: Monetary Loss
Software: DSL Router
Vertical: Finance

Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.

References:

Drive-by Pharming in the Wild
Blog Entry, Symantec, 22 January 2008
Symantec reports first active attack on a DSL router
Advisory, Heise, 24 January 2008
Client Side Web Server Hacking
Blog Entry, WHID Blog, 28 January 2008

WHID 2007-72: Gmail CSRF exploited to hijack a domain

Reported: 30 December 2007
Occurred: 15 December 2007

Classifications:

Attack Method: Cross Site Request Forgery (CSRF)
Country: UK
Origin: Iran
Outcome: Defacement
Outcome: Blackmail

Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored.

The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.

References:

When fixing is not enough
Blog Entry, Securiteam, 28 December 2007
WARNING: Google's Gmail security failure leaves my business sabotaged
Victim's Report, David Airey, 24 December 2007
Google GMail E-mail Hijack Technique
Blog Entry, GNUcitizen, 25 September 2007
Collective effort restores David Airey.com
Victim's Report, David Airey, 27 December 2007

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.