Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Latest Web Hacking Incident Database (WHID) Entries(2)

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project.

 

WHID 2011-89: China Implicated In Hacking Of SMB Online Bank Accounts

Entry Title: WHID 2011-89: China Implicated In Hacking Of SMB Online Bank Accounts
WHID ID: 2011-89
Date Occurred: April 26, 2011
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description: This time it wasn't an "advanced persistent threat" that China was associated with: a fraud alert issued by the FBI today implicates China in a cybercrime operation that bilked U.S.-based small- to midsize businesses of $11 million over the past year.
Mass Attack: Yes
Number of Sites Affected: 20
Reference: http://www.informationweek.com/news/security/vulnerabilities/229402300
Attack Source Geography: China
Additional Link: http://www.ic3.gov/media/2011/ChinaWireTransferFraudAlert.pdf

 

SpiderLabs Research Analysis

This story highlights the continued threat of Banking Trojans, such as Zeus and SpyEye, and how Banks need to develop more Fraud Detection capabilities in order to identify these types of attacks and prevent monetary loss. There are two distinct Banking Trojan attack scenarios -
  1. When a banking trojan steals a victim's login credentials and then the criminal uses that data to log into the application themselves to transfer funds. In this scenario – the underlying application weakness is Insufficient Authentication as these sites are typically not using Two-Factor auth which allows a criminal to login with only username/password data stolen by the Banking Trojan. From a Fraud perspective, these types of attacks should be identified by Geo IP variances during a live session.
  2. When a banking trojan passively waits for a victim to login and then submits a transfer request while piggy-backing on the existing transaction. This application weakness is Insufficient Process Validation as the transfer request usually does not follow the proper process flow and should be identified by Fruad systems as suspicious.
SpiderLabs recently outlined how Geo IP data can be used within ModSecurity to contribute to potential Fraud Anomaly Score.

 

WHID 2011-88: Yahoo! PH Purple Hunt 2.0 Ad Compromised

Entry Title: WHID 2011-88: Yahoo! PH Purple Hunt 2.0 Ad Compromised
WHID ID: 2011-88
Date Occurred: April 24, 2011
Attack Method: Malvertising
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Search Engine
Attacked Entity Geography: USA
Incident Description: Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention. Curious, I clicked the ad and found my browser downloading a suspicious file named com.com.
Mass Attack: No
Reference: http://blog.trendmicro.com/yahoo-ph-purple-hunt-2-0-ad-compromised/
Attack Source Geography:

 

SpiderLabs Research Analysis

Planting of Malware links onto legitimate websites is a huge problem. This is especially challening for sites that leverage banner ad/affiliate networks as they lose some control over the integrity of the data that will be presenting within the context of their site. Organizations must implement some type of analysis of outbound data to ensure that they are not including malicious links within their content being sent to their users. SpiderLabs Research discussed how ModSecurity can use its new Google Safe Browsing API to both identify and clean malware links within response pages.

 

WHID 2011-87: PSN Admin Dev Accounts Got Hacked

Entry Title: WHID 2011-87: PSN Admin Dev Accounts Got Hacked
WHID ID: 2011-87
Date Occurred: April 24, 2011
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Account Takeover
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: Sony's PlayStation Network has been down since Wednesday and stayed kaput throughout the weekend. Sony has admitted that the outage was due to their network being hacked but has not given any further details. But now, a source closely connected with Sony Computer Entertainment Europe (SCEE) reports that the attack is much deeper than admitted by Sony. The source claims that the PSN sustained a LOIC attack (which created a denial-of-service attack) that damaged the server. Plus, it received concentrated attacks on the servers holding account information and breached the Admin Dev accounts.
Mass Attack: No
Reference: http://www.slashgear.com/psn-admin-dev-accounts-got-hacked-source-claims-service-to-return-by-tuesday-24148081/
Attack Source Geography:

 

SpiderLabs Research Analysis

This entry made it into WHID because of the outcome - data leakage of personal information. There is still much speculation as to the exact attack vectors used within the attack. The safe bet is that there were multiple vulnerablities that were exploited to dig deeper and deeper into the PSN developer network. This entry is labled as Brute Force solely becasue the new report stated that devleoper accounts were compromised.

 

WHID 2011-86: Cybercrime Extracts $399,000 from Florida Dentist's Account

Entry Title: WHID 2011-86: Cybercrime Extracts $399,000 from Florida Dentist's Account
WHID ID: 2011-86
Date Occurred: April 25, 2011
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Online Trading
Attacked Entity Geography:
Incident Description: "Before the cybercriminals launched their TDoS attack, they found a way to obtain Dr. Thousand's Ameritrade account information and password. Victims in these cases are often targeted through phishing attempts or by clicking an innocuous-looking email link that downloads malware to their system. In this manner, criminals are able to capture account details, passwords and other personal information. Once they have access to an account, they can then change the contact numbers and impersonate the victim when communicating with the bank or broker."
Mass Attack: No
Reference: http://www.prweb.com/releases/2011/4/prweb8338409.htm
Attack Source Geography: USA

 

SpiderLabs Research Analysis

Another Banking Trojan incident... This time, however, the web application that was exploited was not a Bank but rather an online trading site (TD Ameritrade). The victim's computer was infected with the malware and then it was able to conduct fraudulent trades. What is an interesting twist in the attack scenario is that TD Ameritrade has a mechanism in place to validate suspicious trades - they would initiate phone calls to the customer to confirm the trades. So, what did the attackers do? They conducted DDoS attacks targeting the victim's telephone. The fatal flaw in this trading site's mechanism was that is was a "fail open" policy and if they could not get through to the customer, they allowed the transactions...

 

WHID 2011-85: IIM-B website hacked

Entry Title: WHID 2011-85: IIM-B website hacked
WHID ID: 2011-85
Date Occurred: April 25, 2011
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Link Spam
Attacked Entity Field: Education
Attacked Entity Geography: New Delhi, India
Incident Description: NEW DELHI: The website of the Indian Institute of Management-Bangalore has been hijacked by hackers peddling erectile dysfunction products like Viagra. The website, www.iimb.ernet.in, has been out of service for at least ten days.
Mass Attack: No
Reference: http://timesofindia.indiatimes.com/tech/news/internet/IIM-B-website-hacked/articleshow/8080736.cms??prtpage=1
Attack Source Geography:

 

SpiderLabs Research Analysis

Similar to planting of malware links, in this case, the attackers are able to inject SPAM messages and links. While this is less severe then actual malware links that conduct "Drive-by-Downloads" of browser exploits, it is still disconcerting. Web site owners need to conduct ongoing analysis of their sites in order to assure the integrity of the data they are presenting to users.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo