Tag Archives: payment brands

Chrome, Firefox and Opera all vulnerable to phishing flaw

Many popular browsers, including Firefox, Chrome and Opera, have a vulnerability that makes phishing attacks easier.

The vulnerability lies in the ease with which an attacker can create a spoof website with a URL that looks exactly the same as the real thing. It relies on the way that many browsers interpret Punycode.

Punycode is a way of representing Unicode, the standard method by which computers encode text of non-Roman languages such as Arabic or Mandarin and accented characters such as “ü”. Using Punycode, URLs containing Unicode characters are represented as ASCII characters consisting of letters, digits and hyphens.

The problem arises in the fact that similar characters are hard to distiguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), in a vulnerable browser they look the same when the Punycode is interpreted. Therefore, the owner of the domain name xn--80ak6aa92e.com, which is displayed as “apple.com” could create a convincing phishing site.

The vulnerability was highlighted by researcher Xudong Zheng who has set up a test page at https://www.xn--80ak6aa92e.com/ for users to check how their browser interprets a Punycode site. If the URL reads “https://apple.com”, this means the browser is vulnerable.

“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” writes Zheng.

The act of taking advantage of this vulnerability is known as an internationalised domain name (IDN) homograph attack – or more simply as a  homograph spoofing attack.

The vulnerability is nothing new, with the risk being identified in pre-internet days. In 2010 a spoof PayPal website was set up to demonstrate the danger of fakes, in which the Cyrillic characters “raural.com” were shown to be represented as “paypal.com” in browsers.

However, with the rise in phishing attacks in recent times it is disappointing that major browsers still don’t distinguish between Punycode and Unicode domains by default.

Zheng reported his findings to Google, who have promised a fix for Chrome. He has also contacted Opera and Mozilla, although the latter apparently decided it is something that domain registrars should tackle.

In the meantime, Chrome and Firefox users can limit their exposure by going to about:config and changing network.IDN_show_punycode to true

Computing Cybersecurity Strategy Briefing for the Financial Sector logo

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector. 

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons

Attendance is free to qualifying IT professionals and IT leaders – register now!

Seven security priorities for 2017

The enterprise IT security landscape changed dramatically during 2016.  Expansion into more clouds, the addition of industrial IoT, and marked increases in virtual deployments resulted in more devices, more locations, and more environments for organisations to monitor and protect. Data rates are increasing, network reach keeps growing, and new appliances keep entering the market to analyse and protect it all, with each needing to be managed, optimised, and secured.  This growing network complexity is becoming a security vulnerability in its own right, alongside the dramatic rises in malware and other threats.

To explore and quantify these issues and challenges facing enterprises, and to show how these could be addressed, at Ixia we recently published our 2017 Security Report.  We identified seven key areas that organisations need to consider in order to better protect their networks and data in this dynamic cybersecurity environment.

1. Expanding network attack surfaces

An attack surface is the sum of the different points through which an attacker can enter or extract data from an IT environment. The growth in network complexity is increasing the size of attack surfaces in three dimensions: first, the number of locations where data resides; second, network throughput; and third, volume of IT tools being used. The Internet of Things (IoT) is also making the attack surface even larger as many IoT devices are neither deployed nor managed by IT.  Network segmentation is on the rise, which is good practice, but survey data shows that 47 per cent of organisations are leaving nearly half of their network segments unmonitored. Businesses need to introduce automation and real-time monitoring to see what they are missing.

2. Sharing in the cloud

Cloud usage is on the rise raising its own security issues. Where do cloud providers’ performance and security responsibilities stop, and individual organisations’ begin? Today, the average organisation is using six different cloud services. By 2020 over 92 per cent of all workloads will be cloud-based.   With the growth in the use of shadow cloud services, which fall outside the control of IT, up to ten times more cloud services are likely to be deployed than IT expects. An effective visibility strategy needs to span all of the hybrid, public, and private cloud environments being used by an organisation.

3. The attackers’ arsenal

New, highly sophisticated hacking techniques grab headlines, yet the old, tried and tested methods are still favoured by most cybercriminals.  Across different services, operating systems and deployments, attackers are looking for the easiest way to gain entry. We have seen attackers checking for passwords that are 14 years old, probing for vulnerabilities that are over 10 years old, and using malware that has not changed in years.

4. Top usernames and passwords

With so many IT systems in a typical network, password management remains a problem area attackers are exploiting.   The top five username guesses in 2016 were:  root, admin, ubnt, support, and user.  The top five password guesses were null, ubnt, admin, 123456, and support. 

Many of these are the default combinations for network appliances or cloud offerings, so if the IT team fails to change them, there is a simple route in for malicious hackers. IoT devices were also a notable target of brute force guesses.  

5. Malware or phishing?

Malware continued to dominate over 2016 but during June, July and August, ransomware phishing appeared to have outpaced conventional malware phishing. Major websites such as Google, PayPal and Facebook were the top targets – once again showing how cybercriminals target low-hanging fruit.  Meanwhile, Adobe updates were found to be the most prevalent drive-by updates for delivering malware or phishing attacks.

6. Top exploited URI paths and content management systems

A uniform resource identifier (URI) is a string of characters used to identify the name of a resource. WordPress URI paths were the two most exploited in 2016, showing how attackers are targeting sites built on the popular platform. WordPress was by far the most exploited content management system, with Joomla a distant second – yet again, hackers understand how to target the most popular services.

7. The CISO Mind Map

The CISO has a lot to manage.  A typical organisation engages as many as 15 vendors for various aspects of security, IP protection, user training, and risk assessment. That includes protecting inside their traditional perimeter dealing with private clouds, firewalls, antivirus software, and encryption. The CISO must also deal with monitoring and securing outside the traditional perimeter including public clouds, SaaS services, smartphones, laptops, and networks of IoT devices. The CISO mind map is complex, needing to understand all these resources as well as what makes one vendor’s appliance better than another.

In conclusion, key takeaways from our 2017 report include:

Protect the simple stuff:  modern firewalls and security tools will protect you adequately from the latest security threats.  Most attackers lack the resources to create advanced zero-day malware,a dn reuse simple methods, including DDoS distractions, older malware/exploits, admin password guessing, or phishing. Start with user name and password hygiene, as it is the first place an attacker will look. 

Challenge your security architecture:  We are constantly surprised at how many networks are not exposed to large-scale testing before deployment.  Challenge your defenses not with average data flows, but drive them to capacity to see how or if they fail. After all, attackers are doing this every day. 

Validate provisioning:  Every time a new security or performance monitoring product is added, a new cloud is connected, or a network segment is established, there is provisioning. The vast array of command line interface connections that need programming leads to more complexity. And, complexity typically leads to mistakes or vulnerability. 

Adopt a Zero Trust model:  Never trust. Always verify. Every new device, every new network update, and every provision should trigger validation testing. One error can create an opening. 

Inspect encrypted traffic:  Many organisations do not decrypt encrypted traffic like SSL and SSH or leave it to individual security and performance monitoring tools to accomplish. This becomes a major blind spot that attackers are using to hide malware. 

Limit your attack surface. The more you can limit your network environment, the easier it will be to protect. 

With these measures in place, visibility architectures that allow your IT security team to see your entire network and monitor it in real-time are absolutely essential; after all, you cannot secure what you cannot see.

Jeff Harris, VP Solutions, Ixia
Image source: Shutterstock/deepadesigns

Paypal warns users about latest phishing attempt

An official email from Paypal will never ask a user to do the following through email:

1. Send an email to: “Undisclosed Recipients” or more than one email address.

2. Ask a user to download a form or file to resolve an issue.

3. Ask to verify an account using personal information such as name, date of birth, or address.

4. Ask to verify an account using bank account information such as bank name, routing number, or PIN number.

5. Ask to verify an account using credit card information such as credit card number or type, expiration date, or ATM PIN number.

6. Ask a user for security question answers without displaying each security question that was created

7. Ask a user to ship an item, pay a shipping fee, send a Western Union Money Transfer, or provide a tracking number before the payment received is available in the transaction history

— Courtesy spoof@paypal.com

Fraudulent emails are showing up in Paypal users’ email inboxes in an attempt to gain a users information, according to Paypal.

Paypal recommends the following for reporting suspicious activity:

1. Open a new browser or tab and type in “www.paypal.com”

2. Log in to the PayPal account in question.

3. Click “Activity” near the top of the webpage.

4. Click on the suspicious transaction to expand the details.

5. Click “Report this as unauthorized”

6. Complete the report process on the next screen.

— Courtesy spoof@paypal.com

The email is designed to look like an official Paypal email and says that it is confirming that a new email address has been added to the user’s Paypal account and that if the user didn’t add the new email to let Paypal know.

The email also contains links to what looks like an official Paypal website. Once on the website, an unsuspecting user is expected to enter their account information immediately to try and access their account.

According to an email from Paypal’s security experts at spoof@paypal.com, 90 percent of all email worldwide falls into the spam or phishing category.


“By submitting reports of suspicious email to us you are helping to address this problem,” Paypal said in a statement.

If an email seems suspicious, the security team recommends opening a new tab or window in a web browser and typing paypal.com to ensure that a user is on the legitimate website.

“Any time you receive an email about activity to your Paypal account, the safest way to confirm validity is to login directly to the Paypal website and review the relevant section,” Paypal said.

The company said it will never directly ask for personal banking information through an email or ask for answers to security questions without displaying each security question that was created, according to the statement.

The company will also never ask a user to ship an item or send a Western Union money transfer.

If a user believes an email may be suspicious, it can be reported at the Paypal Security Center or the email can be forwarded to spoof@paypal.com and the Paypal Security Team can help determine the validity of the email and try to deter the fraud.

“We take reports of suspicious email very seriously,” Paypal said.