\nVulnerability Discovery
AliExpress contains a lot of websites and sub-domains under the Alibaba Group. We managed to find that ‘us.cobra.aliexpress.com’ reflects the parameter ‘cb’.
\n\nFigure 1 With Referer Header
\nBy manipulating the parameter, we managed to execute our JavaScript code from AliExpress’s sub domain. We found that sending our payload directly to the victim would not work, since AliExpress has protection against cross site scripting attacks. As you can see from the image below, the payload would not run.
\n\nFigure 2 Without Referer Header
\nAliExpress uses only a simple method to thwart these kind of attacks though. The method involved checking the referer header of the request and if the referer was not set or was incorrect then the request would be denied by the server.
\n
\nHow ‘referer’ Works?
The referer is an HTTP header that identifies the URL of the webpage where the request was requested from. For example, if we will go to blog.checkpoint.com, the referer header will not be set because this is the first time we have opened the web page.
\nGET /2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/ HTTP/1.1Host: blog.checkpoint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
\nHaving done that though, if you click on a link to YouTube, the browser will add the referer header that will tell YouTube that we have come from blog.checkpoint.com.
\nGET /UR_i5XSAKrg HTTP/1.1Host: youtu.beUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0Referer: https://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/
\nAn important point to note though is that the referer is set on every resource requested like JavaScript, CSS, images and so forth.
\nSo, if an attacker would send a malicious link on its own to the victim then it will not work! In order to bypass this referer protection then, we needed to use a simple trick.
\nThe Trick
\nWe had a malicious link that needed to be sent from AliExpress to the victim and not directly by us due to the referer header protection mentioned above. In order to achieve that we looked for links in AliExpress that redirected to a second link in AliExpress, a link that we could replace with our own malicious link.
\nWe found the following redirect link, which ended up with the following payload:
\n\nThe next step was to create a shorter link for this payload to mask it. To do that we could have used any URL shortener link. For example:
\n\nor even a malicious QR code:
\n\nIf the victim were to click on one of the links or scan the QR code he would be redirected to the AliExpress login screen that would inject our malicious JavaScript to the page and issue the following fake popup:
\n\nAny data that would be inserted to this popup would be sent to the attacker.
\n\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2017/christmas-coming-criminals-await/","tags":[],"score":0.11561074107885361,"topStoryDate":null},{"id":"2601","type":"Intelligence_Reports","name":"Threat Intelligence Report: November 20 - 26, 2017","author":"Check Point Threat Intelligence","date":1511769600000,"description":"Weekly summary of the latest published cyber threats and campaigns as derived from open-source information.","content":"
November was another busy month as people geared up for Black Friday shopping and the pitfalls that brings to both online retailers and consumers alike. Take a look at our quick roundup of November’s cyber highlights that you may have missed.
\nCloud Security
\nUber Exposed
\nIn September and October, it was the consultancy firms Deloitte and Accenture; in November, it was the taxi sharing giant, Uber. Due to hackers gaining login credentials to access stored on Uber’s AWS account, personal information of 57m customers and drivers were stolen. To make matters worse, Uber covered up the breach by paying the attackers $100k to delete the confidential documents and didn’t report it. READ MORE
\n
\nWhy Is This Significant?
\nCloud services offer organizations great flexibility and efficiency in the way they work and manage their operations. It is important that these organizations have the right controls and measures in place however to ensure their data is safe from potential breaches in security.
\n
Australian Government Data Leak
\nThe Australian government has had a run of data breaches over the last year or so. In November, 50,000 government employee personal records were leaked due to a misconfigured Amazon cloud storage server that was backing up their data. The data exposed in the Amazon S3 bucket included names, email addresses, phone numbers, IDs, passwords, some credit card numbers and details of staff salaries and expenses. READ MORE
Why Is This Significant?
\nAmazon’s Simple Storage Service is widely used by organizations due to its flexibility and low cost. While Amazon maintains security recommendations that all S3 users should follow, not all do. It is crucial that organizations understand and implement the recommendations to keep their data safe from public viewing.
\n
PC Security
\nBlack Friday Shopping
\nBargain hunters were at risk from cyber-criminals targeting online shoppers enjoying the run up to the Black Friday and Christmas holidays shopping season. Researchers at Check Point recently discovered that criminals have a new way to trick merry online shoppers via the massively popular AliExpress shopping portal. After discovering the vulnerability, Check Point Researchers immediately informed AliExpress who, due to their very serious approach to cybersecurity, took swift action and fixed it within two days of notification. READ MORE
Why Is This Significant?
\nDue to the large amount of financial data, both on the retailer and customer front, online retail is one of the most targeted industries for cyber-criminals. Consumers should always be on high alert for suspicious activity or requests while shopping online and ensure they are following secure guidelines when shopping online. In addition, they should have a solid anti-virus package, such as Zone Alarm, installed on their PC to keep them protected at all times.
\n
Ordinrypt Ransomware Targets German Businesses
\nGerman businesses were targeted in November by the Ordinypt wiper ransomware, in the guide of fake job applicants inquiring about possible vacancies. The malware is vicious as instead of locking up the victim’s files, it simply wipes them with a random ‘garbage’ file and deletes the original file afterwards. Ordinrypt was hidden in attachments named ‘Viktoria Henschel’, which were supposedly a JPG image of the woman sending a resume, and a ZIP file containing the resume and a curriculum vitae. READ MORE
Why Is This Significant?
\nSimilar to NonPetya, the fake ransomware that hit the Ukraine earlier this year, Ordinrypt is a wiper malware that disguises itself as a ransomware attack, demanding payment to a random bitcoin wallet. The damage caused is much worse though, as the victim’s files are irretrievable. It is vital that businesses protect themselves against suspicious attachments and have software in place to scan potential hazards before it is too late.
\n
Mobile
\nMobile Attack Report
\nEvery business has experienced at least one mobile cyberattack in the past year, according to a new study published today by Check Point mobile threat researchers. The report, entitled Mobile Cyberattacks Impact Every Business, is the first study to document the volume and impact of mobile attacks across corporate and public enterprise environments. READ MORE
Why Is This Significant?
\nKey findings of the mobile security report show that every company is under some form of attack. The most affected industries are financial services and government. The most mobile attacks occur on businesses in the Americas and although the majority of attacks are on Android devices, iOS devices are not immune to breaches. All business leaders would do well to read this report and understand the risks they face.
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2017/november-cyber-roundup/","tags":[],"score":0.032242294400930405,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};