Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Phishing through a Yahoo! video
Posted by: jungsonn
Date: November 04, 2006 01:37PM

Yahoo video, where you can share video's with everyone. That seems to be a good place to "fish" for phishers, i found it out while testing for a community site who asked me to try to evade some filters with embeded flash, so i really found it out with some stupid luck and countless tries to evade their filters, but really the problem lies with Yahoo, who are stupid enough to let hardcoded flashvars being passed into the flash. there could be many other options & hacks in it, But for now i made a proof of concept.

Ok what did i do:

i found that you can pass url's in the flash vars in the embeded video, then i went to tinyurl to make the phishing url a little shorter (doesn't have to be BTW) ok, in the video when you click the link: "email", or if the video stops you can click a few links in it, and it goes to my site. I included the Yahoo video page into a php script, and a little javascript to point out you are on my server. So i could make a custom "email" page with a few tweaks asking for some info, yahoo login account (your email) etc... use the imagination.

Proof of concept:

http://www.jungsonnstudios.com/yeehaa/yikes.php

(must have javascript enabled)

it's not an exciting find, but alas, it's a big name and i settle for that:)

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: rsnake
Date: November 04, 2006 01:51PM

Hmm... but how is this any different than just having an iframe pull in the content from the yahoo domain? Maybe I'm missing something.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: jungsonn
Date: November 04, 2006 02:02PM

True.

But when these video's are being posted on trusted (community) sites and thereby also passed the FF Anti-Phishing list ;) and when a phisher really only is interested in an Yahoo! account takeover, and since this isn't being phished over email (which most users allready learned not to trust), but activly invoked by the user itself on his/hers little trusted community/blog page who wants to email this video to some peers in a hurry, it should/could have some worth. For what it's worth anyway ;)



Edited 1 time(s). Last edit at 11/04/2006 02:04PM by jungsonn.

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: rsnake
Date: November 04, 2006 04:37PM

Ah, I see what you're saying. Sort of a viral phishing scheme. Hm... I guess it's possible, but the site probably wouldn't stay up long enough to make it worthwhile is my guess since it only takes one person to figure it out.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: jungsonn
Date: November 04, 2006 06:01PM

Most phishing sites i came acros had some nifty javascript in it, where you coud not notice what happened, after collecting all the data it sends you back to yahoo video site for instance, which makes it really convincing, and what if the video is actually also being send through mail, makes it more "real". This could take a while to find out you where being phished.

Asume the create such a site: video.mail2yahoo.com (seems not registered). Who will go check that url? Guess a few. And maybe, if done properly one could affect many blogs/sites/communities with an alternating page and on a different domain, which makes it pretty succesfull i think.

An one collect the user/login credentials before sending the video, many people have such an account crammed with registrations everywhere, and maybe Paypal, E-bay, etc.

hence, it bypasses every e-mail anti-phishing filter, cause it's done online. :-]

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: rsnake
Date: November 04, 2006 06:32PM

I don't think email filters are even that popular at the moment compared to IE7.0, Firefox 2.0 etc... But I see where you are going with this. I dunno, I think there are other ways to accomplish the same thing with much better throughput.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: maluc
Date: November 04, 2006 07:13PM

so your example attack is to put up a funny video on a blog site you control, wait for people to view it at your blog site and want to email it to friends.. then ask for their yahoo account credentials?

Yes that would probably convince alot of the yahoo users who are familiar with Yahoo! Video.. but it's definitely small potatas. How many people are going to view your blog, and then what percentage of them will have yahoo email accounts (probably alot).. but then what percentage of those will feel the desire to click 'Email' and use that form to email it to their buddies (probably negligable). And yes, i can't spell negligable.

It's indeed a unique way to SE some victims, but using a very small net. Especially when all you really need is to steal their cookies to login as them - in particular only the two cookies Y= and T=.. that rest aren't necessary. They both have a domain of *.yahoo.com so any subdomain works.

I used to think yahoo had good security, but there's atleast half a dozen XSS holes in yahoo to accomplish that. I know this because i'm hanging onto 6 undisclosed ones in 5 different .yahoo.com subdomains. So look around ^^

On a side note, using their Remember Me option makes the cookies persist until "Tuesday, June 02, 2037 3:00:03 PM". is there something special about that date? maybe 622-03-7303 is some yahooligan's social sec number..

-maluc

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: jungsonn
Date: November 04, 2006 11:15PM

Haha yes, :))

that cookie is based way to far in the future, i read somewhere that there is a problem with UNIX time on 32bit pc's arround 2038 orso, it should expire that year unless it's converted to a 64bit integer (which include a 64bit pc). Awww.

About the placement of the phishing idea:

It's true that there are other methods, but that's done, over done i guess. I try think/explore other ways, methods, etc. Who knows, the danger comes most often from the corner you woudn't expect.

I thought about community sites like myspace etc, but even so, it maybe small potatas it seems a unique way of confronting them with more alertness.

I wonder how many people trust yahoo video's the next time they encounter one after knowing that this is possible? ;-)

Ignorance ain't bliss.

Options: ReplyQuote
Re: Phishing through a Yahoo! video
Posted by: jungsonn
Date: November 04, 2006 11:20PM

I looked it up:


0
The Beginning of Unix Time
January 1, 1970 12:00:00 GMT

-2147483648
The Pre-History of Unix Time
December 13, 1901 20:45:52 GMT

2147483647
The End of Unix Time
January 19, 2038 03:14:07 GMT

Scary stuff BTW.

Options: ReplyQuote


Sorry, only registered users may post in this forum.