(WEB HOST INDUSTRY REVIEW) — Using a crafty combo of wildcard DNS records and cross-site scripting vulnerabilities, a new wave of phishing attacks on eBay is using others’ websites to help steal credentials from victims using a fake login, according to UK research and security firm Netcraft (www.netcraft.com).
The fraudulent eBay login forms are still accessible through affected wildcard domains, according to Netcraft, which first spotted the attacks February 10 and continue to pose a threat.
According to Netcraft, the perpetrators of the attack launched it on a number of sites using vulnerable versions of iRedirector Subdomain Edition, a PHP and MySQL-based system that allows website owners to use wildcard DNS records on their domains to redirect subdomains. A cross-site scripting vulnerability on these sites lets the attackers inject framesets into specific pages, which load content from malicious websites hosted in France presenting a fraudulent eBay login page. If submitted, the malicious page sends the user’s eBay identity and password to a site hosted in South Korea.
Because the vulnerable sites can be accessed via wildcard DNS records, phishers can make their fake hostnames look very convincing, using URLs similar to those genuinly used for the eBay login page. Also, using wildcard DNS records means an arbitrary hostname can be used for each attack, allowing each vulnerable site to be used for many different targets.
If that wasn’t enough, Netcraft also reports that fraudsters can find additional sites with the same vulnerabilities using a simple Google search. For those that are vulnerable, upgrades of iRedirector are in order.
