News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Do-it-yourself phishing kits online

Sophos warns about free phishing kit availability; Yahoo, IE, Mandrakesoft and Courier-IMAP announce flaws.

Do-it-yourself phishing kits on the Internet
It doesn't take money or sophistication to engineer an online banking scam. An aspiring crook simply needs some directions easily found on the Internet. Lynnfield, Mass.-based antivirus firm Sophos said it has discovered that free do-it-yourself phishing kits are being made available online. The kits contain all the graphics, Web code and text required to construct bogus Web sites that have the same look and feel as legitimate online banking sites and include spamming software. Sophos researchers believe hundreds of thousands of phishing e-mails are sent across the Internet every day, each designed to defraud innocent computer users. "Until now, phishing attacks have been largely the work of organized criminal gangs. However, the emergence of these 'build your own phish' kits means that any old Tom, Dick or Harry can now mimic bona fide banking Web sites and convince customers to disclose sensitive information such as passwords, PIN numbers and account details," said Graham Cluley, Sophos' senior technology consultant. "There is plenty of profit to be made from phishing. By putting the necessary tools in the hands of amateurs, it's likely that the number of attacks will continue to rise." He urged users to be wary of any e-mails asking them to reconfirm sensitive financial information and said antispam software at the e-mail gateway can prevent unsolicited messages from reaching inboxes. "Recipients of suspicious e-mails claiming to come from online banks should just delete them and should certainly not click on the links contained within the messages," Cluley said. "Web hosts and ISPs can also play their part in the fight against phishers by closing down Web sites if they find these kits posted on their servers."

Drag and drop vulnerability in Internet Explorer
Copenhagen, Denmark-based security firm Secunia issued an advisory warning users of a "highly critical" vulnerability in Internet Explorer. The vulnerability is caused by the "insufficient validation of drag and drop events issued from the Internet zone to local resources," Secunia said. "This can be exploited by a malicious Web site to plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up." Secunia said a proof-of-concept also exists that "plants a program in the startup directory when a user drags a program masquerading as an image." Even though the proof-of-concept depends on the user performing a drag and drop, it may potentially be rewritten to use a single click as user interaction instead, the advisory said. Sophos said the vulnerability is a variant of one discovered by researcher Liu Die Yu and has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. Secunia recommended users disable active scripting or use another browser.

Mandrakesoft updates QT3 packages
Mandrakesoft recommends users update their QT3 packages to correct a heap-based overflow vulnerability researcher Chris Evans discovered in the QT library. This vulnerability could allow an attacker to compromise the account used to view or browse malicious .bmp files, Mandrakesoft said. On subsequent investigation, it was also found that the handlers for .xpm, .gif and .jpg image types were faulty. These problems affect all applications that use QT to handle image files, such as QT-based image viewers, the Konqueror Web browser and others. The updated packages have been patched to correct these problems, the advisory said.

Yahoo fixes flaws
Yahoo acknowledged that it repaired two flaws in its free mail system an attacker could have used to view a user's browser cookies and alter the look of some pages. The security holes were fixed last month by making changes on the company's Yahoo Mail servers, a company representative told CNET "We were alerted of it at the end of May, early June," spokeswoman Mary Osako said. "There ended up being two variations of the issue: one which we could reproduce in a few days and the other which took a lot of effort to reproduce." The vulnerabilities were described as cross-site scripting flaws, which can be exploited to take advantage of scripting languages and misconfigured Web servers to launch an attack against a user's computer. The attacks usually divert the user to another Web site, letting the attacker access the user's cookies or run code on the victim's computer. Yahoo fixed the flaws in its server code, CNET said. No patch is required by the Yahoo Mail users.

Remote format string vulnerability in Courier-IMAP
An advisory from Reston, Va.-based security firm iDefense warns users of a remote format string vulnerability in Double Precision Inc.'s, Courier-IMAP daemon, which can be exploited by attackers to execute arbitrary code. Courier-IMAP is an IMAP/POP3 mail server popular on sites using Qmail, Exim and Postfix, the advisory said. "The 'buf' variable utilized in the fprintf() call is attacker-controlled and can contain format string modifiers allowing an attacker to mmanipulate the stack and eventually execute arbitrary code," iDefense said. "Successful exploitation does not require authentication, thereby allowing any remote attacker to execute arbitrary code under the privileges of the user that the IMAP daemon runs as." As a workaround, iDefense said users could disable the login debugging option of Courier-IMAP. This can be done by setting 'DEBUG_LOGIN' to 0 in the configuration file usually located at /usr/lib/courier-imap/etc/imapd. The advisory said the problem has been resolved in the latest version of Courier-IMAP.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.