Theft of Service Attacks
Theft of Service Attacks
Attacks
Subscription Service &
Website Vulnerabilities
Robert Sheehy
[email protected]
Zendtech
www.zendtech.com
1
Example Targets for TOS Attack
Software Registrations & Downloads
Adult Web Sites
Web Hosting Accounts
Proxy/Anonymity Services
Dial-up Internet Service
Email/Usenet Service
Shell Accounts
Financial News Services
Domain Name Registrations
Hacker Conventions
Hotels that host Hacker
Conventions.
2
Hacking The Alexis Park
Hotel Internet Access
First HTTP request is redirected to:
http://63.167.199.1/ekgnkm/DailyHotelStart.asp
3
Who Are The Attackers?
A Technically Savvy Customer.
A Competitor.
An e-mail spammer.
Someone looking for a better deal.
A legitimate customers friend.
Script Kiddies Worldwide
Bobcat
What Is Stolen?
Increase access to a service providers systems
(Shell Accounts)
Avoidance Of DNS Registration Fees
Usenet Access
Dial-up Internet Access
Web hosting (for data piracy & pornography
storage, e-mail spamming, ect...)
Increased Access to restricted content
Software Purchases/Theft
4
Security Holes Commonly
Used for ToS attacks
Instant Account Creation Vulnerabilities
Subscription Data In HTML Forms
Authentication data stored in user cookies
Paypal Payments
Application, Server or Operating System
specific vulnerability exploits.
Business Process Exploits
5
Copy Protection Circumvention
Cracks & Serial Number Websites
www.astalavista.box.sk
www.cracks.am
www.cerials.net
www.cracks.wz
6
Bypassing The Billing System
Cookie Poisoning
Alter
cookie data to assume identity of a
subscribing user
Cookie Editor v1.5
Available from
http://www.proxoft.com/CookieEditor.asp
WinHex
Ability to edit non-persistent cookies in memory.
Available from http://www.sf-soft.de/
7
Subscription Specific Attacks
Alter subscription terms
Premium Account at Basic Account Price
Yearly Account at monthly account price
Attacking the re-subscription process
Attacking user verification pages
Subscribe to a yearly account
24hours later, cancel the account
User verification page to reactivate account
HTTP_REFERER
Used to validate that form was loaded
from proper domain and/or server.
EASY TO DEFEAT!
HTTP_REFERER variable check
sometimes used to flag suspicious orders
for further human review.
Just because HTTP_REFER is wrong
does not mean the order is fraudulent.
8
HTTP_REFER faking method #1
Place edited HTML form source onto web
server.
Change hosts file to map expected domain
name to the new server.
Load the Page using the proper URL.
Remove hosts file entry.
Wait for DNS cache to expire, or flush the
cache manually, then submit altered form
to the target site.
Hosts Entry:
127.0.0.1 www.fakerefer.com fakerefer.com
9
Faking HTTP_REFER made easy
Combination Of Attacks
Change subscription period from monthly
to a yearly subscription.
Change the subscription options to buy a
premium account at the basic price.
Transaction will look normal on casual
inspection of the billing records.
10
Automatic Form Submission
Using the lynx and echo commands.
echo [email protected]&\
username=username&\
password=tmp-passwd&&\
passconfirm=tmp-passwd&\
Submit=Submit\n---\n" \
| lynx -post_data http://somesite.com/form.cgi
ITKnowledge.com
Offered 14 Day Trial Once per credit
card #
Similar to OReilly.
Unsuccessful Attempt to stop offline
archiving via login cookies.
Easily defeated.
Subscribers received complete access to
entire library.
ITKnowledge.com
Created Their Own Security Hole
Sent e-mail to previous subscribers who
cancelled during the 14-day evaluation period
offering another 14-day free trial
No Credit Card Required For Signup
The 2nd 14-day free trial never expired
The signup for the 14-day trial never ended.
ITKnowledge went out of business
Users have full access to entire library for
free, normally costing $295 a year.
11
What Can We Learn From This
12
Your Safari account been locked as a result of excessive
activity. This could be due to spidering, crawling, or
downloading Safari content which is in violation of the
Safari Terms of Service. Further activity of this type may result
in termination of your Safari Subscription. Please review the
Safari Terms of Service.
If you would like to have your account unlocked, please respond to this
-How were you using Safari before you were locked out?
-Were you running any programs that 'speed-up' web browsing or save
information on your hard drive for offline viewing?
-What OS and browser were you using?
Thank you,
The Technical Support Team
Safari Tech Books Online
13
Beating Safaris Security
Offline Explorer metaproducts.com
Used 2.8.1220 Service Release 1 during testing.
Demo version is usable
Wget not successfully tested Gave up
One (1) HTTP Connections Used
45 Second Delay between file retrieval
Used the ISBN number as URL filter for Single Book
sortOrder=asc&view=&xmlid=0-7357
sortOrder=asc&view=&xmlid=0-596
images
Start Page:
http://safari.oreilly.com/JVXSL.asp?x=1&mode=M
yBookshelf&sortKey=title&sortOrder=asc&view
=&xmlid=&open=false&g=&catid=&s=1&b=1&f=
1&t=1&c=1&u=1&r=&o=1
14
Beating Safaris Security
level limit of 0 to just get bookshelf page
level limit of 1 to get TOC for all books
level limit of 2 to get all book pages
level limit of 3 to get the index pages.
15
Beating Safaris Security
Excluded Keywords:
view=author
view=isbn
Included Keywords:
x=1&mode=section&sortKey=title&sortOrder=
asc&view=&xmlid=0-
x=1&mode=toc&sortKey=title&sortOrder=asc
&view=&xmlid=0-
16
Beating Safaris Security
The idea of Digital Rights Management is
unenforceable without causing major
inconveniences to legitimate users.
DRM objectives conflicts with easy of use
design.
17
Software Theft With Paypal
View Page Source, look for paypal URL:
https://www.paypal.com/cart/add=1&business=paypal%
40finite-
tech.com&item_name=IPSec+Client+Software&item_
number=ASL-IPSEC-CLIENT-
WIN&amount=90.00&shipping=12.00&return=http%3A
//www.chillywall.com/success.html&cancel_return=http
%3A//www.chillywall.com/cancel.html
return=http://www.chillywall.com/success.html
Purchase Success
18
Software Theft With Paypal
Paypal Price Hiding Using URL Encoding
https://www.paypal.com/cart/add=1&business=pa
ypal%40finite-
tech.com&item_name=IPSec+Client+Software
&item_number=ASL-IPSEC-CLIENT-
WIN&amount=%39%30%2E%30%30&shipping
=%31%32%2E%30%30&return=http%3A//www
.chillywall.com/success.html&cancel_return=htt
p%3A//www.chillywall.com/cancel.html
19
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick-subscriptions">
<input type="hidden" name="business" [email protected]">
<input type="hidden" name="item_name" value="Web Hosting">
<input type="hidden" name="item_number" value="WebHost11">
<input type="image" src="pics/x-click-but20.gif" border="0"
name="submit"> $295.00
<input type="hidden" name="a1" value="0.00"> Setup Fee
<input type="hidden" name="p1" value="2"> Valid for 2
<input type="hidden" name="t1" value="M"> Months
<input type="hidden" name="a3" value="295.00"> Re-occurring Fee
<input type="hidden" name="p3" value="1"> Billed Once
<input type="hidden" name="t3" value="Y"> a year
<input type="hidden" name="src" value="1">
<input type="hidden" name="sra" value="1">
</form>
20
Credit Card Payment Attack
Possible Attacks
CreditCard Fraud
PriceAlteration
Avoiding Payment
Subscription Term Extension
21
Attack Response Options
Depends Upon nature of the attack
How abusive was the attack?
Login/Password is not really fraud
Account Cancellation may be only option
Fixing security whole, may be only option.
Can the user be tracked down?
Will law enforcement care?
Will the publicity of the hack be worse then
the hack itself.
Recovering Losses
Back Billing Customer
Involve Law Enforcement
Write off the loss
Most often there is no way to recover losses.
Considered to be the victims own fault for
their losses.
22
DirecTV Theft Of Service
Thousands Of DirecTV Customers Sued
Threatening Letter Intimidation Tactic
Millionsalready have been paid to settle
No proof, other then purchase records, no
actual proof of service theft.
www.legal-rights.org
23
Finding Vulnerable Systems
Final Points
Very simple attacks
Common security oversight in newer sites
Hit and miss attack, more an annoyance
then a real problem to most retailers.
Victim system admin gets little sympathy
from law enforcement or colleagues.
Final Points
Sites vulnerable to ToS attacks are usually
vulnerable to other simple attacks.
Most likely effective on newer websites
that use a custom application or
misconfigured 3rd party product.
Theft of Service does not necessarily
mean there was a loss of revenue for the
company, had the attack not occurred.
24
Final Points
Depending upon attack, legal fraud is
not always committed (Its generally
considered the victims fault for not
taking basic security precautions.)
A company could be put out of
business within the time it takes them
to notice a vulnerability has been
discovered.
25