Feeds

ISP typo pimping exposes users to fraudulent web pages

Provider in the middle attacks

Website security in corporate America

ToorCon Comcast, Verizon and at least 70 other internet service providers are putting their customers at serious risk in their quest to make money from mistyped web addresses, security researcher Dan Kaminsky says.

Speaking at the ToorCon security conference in Seattle, Kaminsky demonstrated an exploit class he dubbed PiTMA, short for provider-in-the-middle attacks. A variation of man-in-the-middle attacks, it stole authentication cookies and injected arbitrary content into trusted web pages by exploiting weaknesses in an ad server Earthlink used when returning results for non-existent addresses.

Once upon a time, mistyped domain names resulted in a browser returning a simple DNS lookup error (not a 404 error, as incorrectly reported in an earlier version of this story) that said the address didn't exist. Then ISPs realized they could make money by returning a failure notice that included banner ads and other content. This ad injection is done through the magic of the domain name system. As a result, browsers get fooled into thinking a request for qww.microsoft.com is a legitimate address that's controlled by the same network responsible for www.microsoft.com.

"Guys, anything goes wrong on that subdomain [and] it is an element of the parent," Kaminsky said. "It can access cookies, it can do other things. Normally a subdomain is trusted by the parent. Not this time."

(Slides of the research, which was developed jointly by IOActive researchers Kaminsky and Jason Larsen, are available here.)

Pages that ISPs return for non-existent pages, for example fake.theregister.co.uk, are able to circumvent the so-called same origin policy, which prevents cookies and other types of content set by one domain from being accessed or manipulated by a different address.

Kaminsky's demo relied on an easily exploited cross site scripting (XSS) error in an ad server run by a company called BareFruit, which Earthlink and other ISPs pay to return results for non-existent pages. The flaw meant users of any ISP using the service were at risk of having virtually any website on the internet spoofed by a malicious attacker with knowledge of the vulnerability.

When notified of the error, "BareFruit defecated masonry" and "fixed the bug in about 27 minutes after they heard what they were up to," Kaminsky said.

Even though the specific problem has been corrected, similar ad servers are likely also vulnerable, Kaminsky said, imperiling large swaths of internet. He said the practice should serve as a strong argument in favor of net neutrality, a concept that holds that ISPs should be barred from changing the content of pages they deliver.

"This is not actually rare. This is not a small thing," said Kaminsky added that at least 72 ISPs he's counted are engaged in the practice of spoofing domain names when returning non-existent web pages. They include Verizon, Comcast, and on a smaller scale, Cox and Qwest. "Small amounts of failed net neutrality can lead to catastrophic effects on internet security. Intent not actually required."

To bring home his point, Kaminsky showed how exploitation of the now-patched BareFruit bug allowed him to to return spoofed pages from Microsoft and just about any other web destination he chose. The forgeries are especially convincing because in every case the legitimate domain name appeared in the browser's address bar.

Kaminsky also managed to superimpose a video of Rick Astley on the legitimate web pages of Facebook, Fox News and even Toorcon. "Rick Rolling," as the practice of fooling people into viewing the insipid performer's videos, has grown into a common way to show off hacking and social engineering prowess.

"It's a peculiarly awesome point in one's career when it turns out you get to Rick roll the internet," Kaminsky said in an interview." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.