The day HTTPS stopped being secure

Well, actually there is nothing wrong with the HTTPS protocol itself, but on the other hand, using a secured HTTP connection to the site of your financial institution doesn't mean you're safe either.

There is a - rather technical - PDF file available that explains all the nitty gritty details, but let me give you a quick rundown of what some scammers are doing.

You surf the web with IE and happen to end up on a compromised webserver. Mind you, this could be a very well known site that would be above all suspicion, as recent reports have shown that exploits exist and have been used to compromise webservers. Without realizing it, your browser downloads and installs a BHO, which is automatically loaded when you start IE.

This BHO watches for HTTPS access to URL's, and then captures the data before it is encrypted, resulting in your password, login ID and such being made available in clear text to a third party server. However, to hide their tracks, the BHO encrypts the captured data before they pass it on, to prevent intrusion detection software from detecting certain account information being passed on.

Sounds confusing? Here's a little scheme to make it more understandable :

1. Webserver is compromised
2. You surf to a compromised site, using IE
3. BHO is installed on your computer, without your interaction or knowledge
4. You connect to your online banking site
5. BHO grabs data before it's encrypted
6. BHO encrypts data and passes it on to someone else

This could lead to others accessing your bank accounts online, withdraw money, change account details, identity theft, ...

If you've read this far, you're probably wondering what you can do to prevent all this? Well, honestly I don't know. I'd suggest not using IE as your favorite browser for the time being - at least not until a number of very serious security holes are patched - and you could also see if you can block access to http://www.refestltd.com using your (personal) firewall. The latter however is only a temporary solution as I suspect the scammers will release newer versions of their exploit that use connections to other sites to receive the captured data.

Finally, keep your systems patched (Windows Update) and scan your systems regulary using Ad-Aware and/or Spybot S&D. Please be aware that none of these scanners or patches provide protection against this exploit at the time of this writing, but the less vulnerabilities exist on your system, the harder it'll be for scammers to abuse and infect your machine(s).

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.04

About this Entry

This page contains a single entry by ServMe published on June 30, 2004 10:43 AM.

Movies to see was the previous entry in this blog.

July is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.