How the Online Trust Model is Broken - The Bank of India.com attack
Thanks to the team at Sunbelt Software comes news of a serious hack perpetrated on the website for the Bank of India at http://www.bankofindia.com (non clicky for those who aren't reading closely).
While attacks and public defacements on websites are regular occurrences and can be seen at Zone-h, attacks against high profile sites are not uncommon. This particular hack introduces an invisible 1 x 1 <iframe> that loads immediately after the <body> tag, so wouldn't normally be included in the Zone-h archive and wouldn't normally be identified by the average Internet user.
Although the site that the iframe points to (goodtraff.biz) has since vanished from the Internet (about an hour before this article was written), WHOIS records still exist that indicate that the malware was being hosted out of Russia. Sunbelt's analysis shows several other sites being involved in the attack, though these no longer load since goodtraff.biz doesn't respond to queries. Manually entering the addresses into a browser will load some of them, suggesting that those upstream malware sources are active (others have already been shut down). Of interest is one particular referenced site, an Adult website traffic aggregator that clearly sets out in its rules that traffic is not to come from:
- pop-ups, consoles, iframes or Error pages
- dialers, iframes, exploits ...
As a money for traffic site, it is not known how much money the attacker has been able to make from the Bank of India hack, but their user number (0224) is sure to have attracted a significant amount of traffic via the hidden iframe.
Goodtraff.biz has been implicated in malicious activity in the past, though on a relatively small scale. Whoever compromised the Bank of India site (which is still compromised) has elevated a low profile malware site into the limelight, at least temporarily. With more than 22 pieces of malware attempted to be installed from the one site visit, it represents a significant problem for the Bank of India customers who have viewed the site over at least the last 36 hours. Unfortunately there is no indication when the site was first compromised, so there may be a lot of victims from this one particular hack.
This is a problem when users are relying on various online Trust brokers to tell them when a site is malicious, either through displaying a certain colour to indicate malicious activity, or through actively preventing the user from accessing the site. One of the better known Trust brokers, SiteAdvisor gives the Bank of India website a clean bill of health. It takes a bit of effort to drill down into the comments before a small link is found, from a user, that points to Sunbelt's coverage of the hack - but the overall rating remains positive.
SiteAdvisor is not alone in trusting the compromised site. Google's Safe Browsing extension for Firefox fails to notice the breach, as does Finjan, NetCraft and PhishTank SiteChecker. It is expected that most Trust broking sites will report that the Bank of India site is still valid.
For critics of the various Trust broking models, this is a clear example of the fatal flaws present in almost all models, that the refresh time on a site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater.
All of the advice given to users for how to protect themselves when surfing online breaks down in the face of a compromise to a trusted online financial institution - it should be a trusted site that the user can run Scripting and ActiveX controls on (as appropriate) with little fear of compromise.
There are some alternative models of trust being developed, but most are still being kept quiet by the various developers and vendors who are working on them, including Sûnnet Beskerming's own Nabu system (to address previous complaints - the reason why no one has heard of Nabu and can not find information on it is because Sûnnet Beskerming does not leak information about what is being created in their research labs. If you want to know more, you can contact Sûnnet Beskerming directly).
The best advice for visiting any site on the Internet is to apply caution. It doesn't matter how well you trusted the site in the past, it isn't going to take much to completely compromise both it and your system.
31 August 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.