It is a classic case of thieves refining their modus operandi as security gets upgraded. Just as Microsoft plugged 21 security holes in Windows, cybercriminals found a new way to rob secure data – through web applications.
Microsoft recently issued patches for 21 flaws in its software, saying all but two of them could let an intruder run malicious code on a compromised computer. The company sent eight security bulletins this week labeled ‘critical’, which is Microsoft’s highest risk rating. They cover problems with Windows, Internet Explorer, Word, PowerPoint and Exchange Server.
Almost as if in chain reaction, users of Yahoo’s email services, Google’s Orkut social networking site and eBay’s PayPal online payment service were among the targets of malicious attacks in the past week. The Yammanner worm struck all versions of Yahoo web-based mail except the latest beta version early on Monday morning. The worm especially took advantage of a JavaScript flaw, said Dean Turner, senior manager of Symantec Security Response. "The worm is taking a pretty novel approach. Yamanner arrives in a Yahoo mailbox bearing the subject header ‘New Graphic Site’. Unlike most email viruses, it wasn't necessary to open an attachment to activate Yamanner. Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo email contact list. The harvested email addresses are also sent to a remote online server, which Symantec suspects may use the information for spam campaigns," he said. Yahoo was quick on the uptake, announcing a fix for the problem within the day. Nevertheless, the worm hit the remote server more than 100,000 times, forwarding email addresses harvested from unsuspecting users before it could be caught.
The worm infesting Google’s Orkut was discovered by FaceTime Security Labs. The worm, known as MW.Orc, was propogating through Orkut as users launched an executable file disguised as a JPEG. The worm would then steal user’s banking details, usernames and passwords. In addition to stealing personal information, the malware can also enable a remote user to control the PC and make it part of a botnet, a network of infected PCs controlled by a hacker. The botnet in this case uses an infected PC's bandwidth to distribute large, pirated movie files, potentially slowing down an end-user's connection speed.
The flaw in the PayPal website on the other hand allowed cybercriminals to host a page on PayPal’s website. The web pages appeared with a genuine SSL certificate to lull users into a false sense of security. People were redirected away from the genuine PayPal site to a phishing site hosted in South Korea, where victims were asked for their PayPal login information. According to internet monitoring company Netcraft, which first raised the alarm about the attack on Friday, people were also asked to enter their Social Security number and credit card details. Although PayPal has no idea of how many people were ensnared, it claimed that it immediately altered some code on the PayPal website to block the scam.
The attacks come in the growing popularity of online communities such as MySpace.com and of web-based calendar, messaging and other services offered by Google, Yahoo and others. "As larger audiences flock to Web sites that run on ever more powerful programming scripts, malware writers are finding them fertile ground," writes Dan Goodin. "Criminals who once launched broad attacks by sending malicious e-mails to millions of people are finding it more effective to target smaller groups of people who congregate in online communities."
According to Dan, also spurring the attacks is the growing power and flexibility of web programming languages that allow Web browsers to look and act more like word processors, spreadsheets and other computer programs. The Yammanner worm, for example, targeted fault scripts based on Asynchronous JavaScript and XML (Ajax). "Yahoo, Google and other companies have already released products to the market based on the current web services technology flavour of the month Ajax. Google Calendar and Google Spreadsheet are the latest examples. More such online web services are in the pipeline. The proliferation of Ajax in online applications could provide fertile ground for hackers because a JavaScript application is very difficult to protect," writes Stan Beer.
Although Yahoo, Google and eBay managed to fix their chinks in no time, companies such as Microsoft that plug holes on individual PCs have to get millions of users to download and install a patch, a process that's more time consuming. Nevertheless, a learning curve is seen here. "In some ways, we’ve forced them to be more clever because we’ve shut down the old means they had of infecting people. What we see attackers doing is trying to slide under the radar by moving into new areas where people’s guards may be down," Dan says. Computer security experts are comfortable with the notion that web designers will get better at anticipating ways in which their code can be exploited, but by then criminals are likely to move onto to newer targets. |
