0% found this document useful (0 votes)
64 views25 pages

Theft of Service Attacks

The document discusses various types of theft of service attacks targeting subscription services and websites. It provides examples of common targets like software downloads, web hosting, and online services. Attack methods described include exploiting vulnerabilities in user registration and authentication, altering forms to change subscription details like price or duration, and bypassing billing systems through repeated trials or cookie editing. Recommendations are made to closely monitor systems for irregular access patterns and audit subscription records.

Uploaded by

Pervaiz Anjum
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
64 views25 pages

Theft of Service Attacks

The document discusses various types of theft of service attacks targeting subscription services and websites. It provides examples of common targets like software downloads, web hosting, and online services. Attack methods described include exploiting vulnerabilities in user registration and authentication, altering forms to change subscription details like price or duration, and bypassing billing systems through repeated trials or cookie editing. Recommendations are made to closely monitor systems for irregular access patterns and audit subscription records.

Uploaded by

Pervaiz Anjum
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Theft Of Service

Attacks
Subscription Service &
Website Vulnerabilities

Theft Of Service Attacks


Presented at Defcon 11 by:

Robert Sheehy
[email protected]

Zendtech
www.zendtech.com

Presentation updates are available at:


http://www.zendtech.com/defcon11/tos

What Are Theft Of Service Attacks?


Application Level Attack
Attacker Gains Increased Access To
Restricted or Limited Resources
Opportunistic Attack
Attacks typically do not result in system
administration access.

1
Example Targets for TOS Attack
Software Registrations & Downloads
Adult Web Sites
Web Hosting Accounts
Proxy/Anonymity Services
Dial-up Internet Service
Email/Usenet Service
Shell Accounts
Financial News Services
Domain Name Registrations

Example Targets for TOS Attack

Hacker Conventions
Hotels that host Hacker
Conventions.

Defcon Registration Insecurity


Avoided the common route user registration
Social Engineered Speaker Registration.
Registered additional speaker for this talk with
no advance notice.
No verification was made that the person had
anything to do with the presentation.

2
Hacking The Alexis Park
Hotel Internet Access
First HTTP request is redirected to:
http://63.167.199.1/ekgnkm/DailyHotelStart.asp

User is presented with two options:


9.95 Access with private (NAT) IP address
10.95 Access with public IP address

Hacking The Alexis Park


<select name="strPackage"
size="1"><option value=1>9.95 USD
with a Private IP address</option><option
value=4>10.95 USD with a Public IP
address</option></select>

Hacking The Alexis Park


1 - 9.95 Access with private (NAT) IP address
2-
3-
4 - 10.95 Access with public IP address
5 8.95 Access with public IP address
6 - 2.95 Access with public IP address

Values 0, 7-10 are invalid options

3
Who Are The Attackers?
A Technically Savvy Customer.
A Competitor.
An e-mail spammer.
Someone looking for a better deal.
A legitimate customers friend.
Script Kiddies Worldwide
Bobcat

What Is Stolen?
Increase access to a service providers systems
(Shell Accounts)
Avoidance Of DNS Registration Fees
Usenet Access
Dial-up Internet Access
Web hosting (for data piracy & pornography
storage, e-mail spamming, ect...)
Increased Access to restricted content
Software Purchases/Theft

Who are the victims?


Subscription based services seem
especially vulnerable.
Systems setup and left unattended.
Systems not regularly audited.
No security personnel, systems programmers
do not deal with security.
May not have the ability to fix problems.
3rd party shopping cart
Application developed by a consultant.

4
Security Holes Commonly
Used for ToS attacks
Instant Account Creation Vulnerabilities
Subscription Data In HTML Forms
Authentication data stored in user cookies
Paypal Payments
Application, Server or Operating System
specific vulnerability exploits.
Business Process Exploits

Theft of Service Attack Types


Software Copy Protection Circumvention
Abuse Of A Legitimate Account
Bypassing the Billing System
User defined changes to the subscription
terms or price.

How Attacks Are Obscured

Putting in the orders during a holiday


weekend
Backlog of orders from a long holiday weekend
may result in less attention to order details
Even if there is human review, the attack might
be overlooked during high sales volume
Using a valid price on the system for higher
priced subscription levels.

5
Copy Protection Circumvention
Cracks & Serial Number Websites
www.astalavista.box.sk
www.cracks.am
www.cerials.net
www.cracks.wz

Piracy Newsgroups on Usenet


alt.binaries.cracks
alt.binaries.warez.0-day
alt.binaries.cd.image

Abuse of a Legitimate Account


Choosing login/password as your
username/passwd pair.
Makes remembering passwords much easier.
Allowsfor anonymous account sharing.
Makes the admin feel dumb when they find it.

Abuse of a Legitimate Account


Multiple Users of a single user account
Easyto detect, if the effort is made.
Normallyresults in account termination for
Terms Of Service violation if detected.
Account sharing is less likely to occur
if the account exposes customers
data, such as home address or credit
card number.

6
Bypassing The Billing System
Cookie Poisoning
Alter
cookie data to assume identity of a
subscribing user
Cookie Editor v1.5
Available from
http://www.proxoft.com/CookieEditor.asp
WinHex
Ability to edit non-persistent cookies in memory.
Available from http://www.sf-soft.de/

Bypassing The Billing System


Free Trial Accounts
Open to repeated use and abuse
User is disqualified if they have previously
used the same credit card or mail address for
a previous free subscription
Open to repeated credit card fraud (especially if
nothing is actually charged).
New credit cards with new numbers are also easy
to obtain.
New Email addresses are easy to obtain.

Bypassing The Billing System


Application Specific Attacks
Bugs in the account signup process
Account Verification pages that can be used
to reactivate cancelled accounts.
Subscription & Account Maintenance
Account Upgrade/Downgrade may be open to
attack, while the initial subscription process is
secure.

7
Subscription Specific Attacks
Alter subscription terms
Premium Account at Basic Account Price
Yearly Account at monthly account price
Attacking the re-subscription process
Attacking user verification pages
Subscribe to a yearly account
24hours later, cancel the account
User verification page to reactivate account

HTM Form Alteration Attacks

For GET forms, change URL parameters


For POST forms, view the HTML source, and
change the value of the Hidden input types.
type=hidden OR type=hidden ( char is optional)

<input type=hidden name=price value=15.00>


<input type=hidden name=term value=12>

HTTP_REFERER
Used to validate that form was loaded
from proper domain and/or server.
EASY TO DEFEAT!
HTTP_REFERER variable check
sometimes used to flag suspicious orders
for further human review.
Just because HTTP_REFER is wrong
does not mean the order is fraudulent.

8
HTTP_REFER faking method #1
Place edited HTML form source onto web
server.
Change hosts file to map expected domain
name to the new server.
Load the Page using the proper URL.
Remove hosts file entry.
Wait for DNS cache to expire, or flush the
cache manually, then submit altered form
to the target site.

Hosts location for various OS


Unix - /etc/hosts
Win9x c:\windows (windows dir)
WinNT c:\windows\system32\drivers\etc
Macintosh/OSX - ????

Hosts Entry:
127.0.0.1 www.fakerefer.com fakerefer.com

HTTP_REFER faking method #2


Method utilizes browser proxy Support
Edit hosts file as in method #1
Load altered page from your web server
Enter proxy server information
Submit Form
Proxy will not use hosts information, and
will send altered form data with a faked
HTTP_REFER.

9
Faking HTTP_REFER made easy

Website uses 3rd party to process payment.


Place altered page on web server
Changes hosts file to fake HTTP_REFER
Fill out form and submit
Form is submitted to the 3rd Party website for
payment processing.
3rd party site checks authentication of form via
HTTP_REFER Altered form passes test.

Attacking 3rd Party Shopping Carts


User places a order for an inexpensive item.
User starts checkout process -> User and
CartID are passed to 3rd party site.
Additional items are added to the cart in
separate browser window.
Payment for single item is completed.
3rd party payment processor sends
confirmation that the CartID ### is paid.
Shopping site believes the updated order
has been entirely paid for.

Combination Of Attacks
Change subscription period from monthly
to a yearly subscription.
Change the subscription options to buy a
premium account at the basic price.
Transaction will look normal on casual
inspection of the billing records.

10
Automatic Form Submission
Using the lynx and echo commands.
echo [email protected]&\
username=username&\
password=tmp-passwd&&\
passconfirm=tmp-passwd&\
Submit=Submit\n---\n" \
| lynx -post_data http://somesite.com/form.cgi

Quotes Are Important (because of & Characters)


Pipe echo command output to lynx

ITKnowledge.com
Offered 14 Day Trial Once per credit
card #
Similar to OReilly.
Unsuccessful Attempt to stop offline
archiving via login cookies.
Easily defeated.
Subscribers received complete access to
entire library.

ITKnowledge.com
Created Their Own Security Hole
Sent e-mail to previous subscribers who
cancelled during the 14-day evaluation period
offering another 14-day free trial
No Credit Card Required For Signup
The 2nd 14-day free trial never expired
The signup for the 14-day trial never ended.
ITKnowledge went out of business
Users have full access to entire library for
free, normally costing $295 a year.

11
What Can We Learn From This

Resubscription and customer retention


programs can are also vulnerable.
Accounts should be regularly audited to
detect irregularities.
It is difficult to selectively restrict access to
digital content.

OReillys Safari Bookshelf Security


System tries to enforce a No Offline
Archiving policy, detailed in their Terms Of
Service Agreement.
Three strikes your out if the system detects
massive downloading
Session Limit (One login allowed Cookie
Based session tracking)
Restriction On Library Access - Can only
select X number of titles for access (X varies
with subscription type)

12
Your Safari account been locked as a result of excessive
activity. This could be due to spidering, crawling, or
downloading Safari content which is in violation of the
Safari Terms of Service. Further activity of this type may result
in termination of your Safari Subscription. Please review the
Safari Terms of Service.

If you would like to have your account unlocked, please respond to this

-How were you using Safari before you were locked out?
-Were you running any programs that 'speed-up' web browsing or save
information on your hard drive for offline viewing?
-What OS and browser were you using?

Thank you,
The Technical Support Team
Safari Tech Books Online

Beating Safaris Security


Books must be kept on bookshelf for 30 days
Does not matter if you cancel the account
every month, so just create a brand new
account every month
If reusing a credit card to create a new
account, you will not have any waiting time
for bookshelf slots to open, all are open
immediately
If using a new card, you get a new 14-day
trial.

Beating Safaris Security


Free Trial Account Abuse Bypass
Billing Attack
Get a new e-mail address
Sign Up for 14-day trial with a new CC.
Pick the books to fill your 10 bookshelf slots.
Use Offline Explorer to make an offline copy.
Cancel the account before the trial expires.
Cancel CC Get a replacement from your
bank with new numbers.
Repeat process when new card arrives.

13
Beating Safaris Security
Offline Explorer metaproducts.com
Used 2.8.1220 Service Release 1 during testing.
Demo version is usable
Wget not successfully tested Gave up
One (1) HTTP Connections Used
45 Second Delay between file retrieval
Used the ISBN number as URL filter for Single Book
sortOrder=asc&view=&xmlid=0-7357
sortOrder=asc&view=&xmlid=0-596
images

Beating Safaris Security


Have scheduling configured to run every
hour and half, for 9 minutes.
Take a while, but it gets the job done.
Easiest if you do it just one book at a time,
instead of the entire bookshelf at once.

Beating Safaris Security


Make sure identifier is set to MS Explorer:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
& use Microsoft Internet Explorer Cookies

Start Page:
http://safari.oreilly.com/JVXSL.asp?x=1&mode=M
yBookshelf&sortKey=title&sortOrder=asc&view
=&xmlid=&open=false&g=&catid=&s=1&b=1&f=
1&t=1&c=1&u=1&r=&o=1

14
Beating Safaris Security
level limit of 0 to just get bookshelf page
level limit of 1 to get TOC for all books
level limit of 2 to get all book pages
level limit of 3 to get the index pages.

Beating Safaris Security


Stop downloading if download time exceeds
7 minutes

Do Not Download Existing Files


Configure Safari Login And Password in
"Passwords" Configuration

Scheduling: Every 2 hours

Beating Safaris Security


IMPORTANT: Login manually to
safari.oreilly.com before starting
bookshelf download.

Do not login to account from another


machine or browser while download
is running, or youll kill the download.

15
Beating Safaris Security
Excluded Keywords:
view=author
view=isbn

Included Keywords:
x=1&mode=section&sortKey=title&sortOrder=
asc&view=&xmlid=0-
x=1&mode=toc&sortKey=title&sortOrder=asc
&view=&xmlid=0-

Beating Safaris Security


Cleaning out downloaded Error and Preview pages.

for each in `grep -i "This is only a preview" *|cut -f1 -d:`


do
rm -f ${each}
done

for each in `grep -i "Session Disabled" *|cut -f1 -d:`


do
rm -f ${each}
done

Restart download with Offline Explorer to fill in the


missing pages of your bookshelf.

Beating Safaris Security


Downloaded 600 Files within (just under)
three (3) hours, and received a lockout
warning.
After you start to receive warnings,
threshold for next warning appears to be
lower.

16
Beating Safaris Security
The idea of Digital Rights Management is
unenforceable without causing major
inconveniences to legitimate users.
DRM objectives conflicts with easy of use
design.

eBay Seller Fee Avoidance


Use of the non-baying bidder form negates
the eBay listing fees.
Refund system seems to be automated.
Buyer could be given a discount to not report
fraud. (useful for high value sales)
No incentive for buyer to report seller fraud
if/when they are compensated by the buyer.

Software Theft With Paypal

Depending upon implementation, users


are paying a fee to learn the value of the
return HTML form variable.

Return Value is specified with in a hidden


form value, or as a URL parameter.

17
Software Theft With Paypal
View Page Source, look for paypal URL:
https://www.paypal.com/cart/add=1&business=paypal%
40finite-
tech.com&item_name=IPSec+Client+Software&item_
number=ASL-IPSEC-CLIENT-
WIN&amount=90.00&shipping=12.00&return=http%3A
//www.chillywall.com/success.html&cancel_return=http
%3A//www.chillywall.com/cancel.html

return=http://www.chillywall.com/success.html

Purchase Success

Thank you for your purchase of ChillyWall and/or our


other security products.
If you purchased a ChillyWall this unit will ship to the
address that was indicated on your order typically within
2 working days.
If you purchased Astaro Security Linux Software you can
download the software here. Your license will be e-
mailed to you within 2 working days. You can proceed
with your Astaro installation since the download is a 30
evaluation which can be activated for all features
purchased when you enter your license.
If you purchased VPN Client software then the
following links will provide you with the software and
documentation.
Software
User Manual
Release Notes

Software Theft With Paypal


Automated Serial Number/Key Return with
Paypal billing is often exploitable by
changing the price.
A legitimate, but small, payment is made
for an order. The system acknowledges
payment, but does verify the correct
amount was paid.

18
Software Theft With Paypal
Paypal Price Hiding Using URL Encoding
https://www.paypal.com/cart/add=1&business=pa
ypal%40finite-
tech.com&item_name=IPSec+Client+Software
&item_number=ASL-IPSEC-CLIENT-
WIN&amount=%39%30%2E%30%30&shipping
=%31%32%2E%30%30&return=http%3A//www
.chillywall.com/success.html&cancel_return=htt
p%3A//www.chillywall.com/cancel.html

Paypal URL Encoding


URL Encoded Character Reference Table:
http://www.notestips.com/80256B3A007F2692/1/NAMO5HXFBQ

Method is not effective.


Just tries to hide the problem, rather then fix it.

Paypal Subscription Payments


Purchase of the paypal guarantee
May expose bugs in payment processing
Validonly for physical items, effects of purchase
may not be tested during development of
subscription billing.

A legitimate, but small, payment is made. The


system acknowledges payment, but does
verify the correct amount was paid Just
assumes it was.

19
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick-subscriptions">
<input type="hidden" name="business" [email protected]">
<input type="hidden" name="item_name" value="Web Hosting">
<input type="hidden" name="item_number" value="WebHost11">
<input type="image" src="pics/x-click-but20.gif" border="0"
name="submit"> $295.00
<input type="hidden" name="a1" value="0.00"> Setup Fee
<input type="hidden" name="p1" value="2"> Valid for 2
<input type="hidden" name="t1" value="M"> Months
<input type="hidden" name="a3" value="295.00"> Re-occurring Fee
<input type="hidden" name="p3" value="1"> Billed Once
<input type="hidden" name="t3" value="Y"> a year
<input type="hidden" name="src" value="1">
<input type="hidden" name="sra" value="1">
</form>

Preventing Form Alteration


Method #1 Variable Change Detection
CRC checksum of form variables
Open to reverse engineering attacks.
Does not guarantee security, just makes a
possible attack more complex.
Checking the HTTP Referrer URL
Can be easily faked, as demonstrated.

Preventing Form Alteration


Method #2 Not Using Form Variables
Using form variables is the wrong way.
Extra programming and complexity is required
for the server to track user sessions.
Security is not guaranteed by not using form
variables, systems could still be vulnerable to
other forms of attack.

20
Credit Card Payment Attack
Possible Attacks
CreditCard Fraud
PriceAlteration
Avoiding Payment
Subscription Term Extension

Especially vulnerable when using hidden


form inputs for payment parameters.

How To Spot ToS Attacks


Audit existing orders/subscriptions to verify
subscription parameters have not been
altered.
Do not trust what your custom application
tells you, it may be lie.
Look for sudden increases in system
utilization.
Make sure whomever processes orders
knows to verify the amount paid is the
amount owed.

How To Protect Against ToS


Verify All Orders Manually
Regularly Audit Account Activity
Do not trust the security of your system
automation.
Do not overlook accounting
inconsistencies, they may be indicators of
fraud.
Follow all security procedures from credit
merchant

21
Attack Response Options
Depends Upon nature of the attack
How abusive was the attack?
Login/Password is not really fraud
Account Cancellation may be only option
Fixing security whole, may be only option.
Can the user be tracked down?
Will law enforcement care?
Will the publicity of the hack be worse then
the hack itself.

Attack Response Options


Ignore The Attack
Let all users continue discounted subscription
Account Cancellation
Account Modification
Back Billing

Recovering Losses
Back Billing Customer
Involve Law Enforcement
Write off the loss
Most often there is no way to recover losses.
Considered to be the victims own fault for
their losses.

22
DirecTV Theft Of Service
Thousands Of DirecTV Customers Sued
Threatening Letter Intimidation Tactic
Millionsalready have been paid to settle
No proof, other then purchase records, no
actual proof of service theft.

DirecTV should not have legal protection


to sue to recover losses for their inability
or unwillingness to develop a secure
system.

DirecTV Theft Of Service


If service is insecure and open to abuse, it
is the providers fault, not the customers.
Suing Customers who break your weak
security should not be a profit center for
the company.
Proof should be required to be submitted
for judicial review before the company is
allowed to send mass lawsuit threat
letters.

DirecTV Lawsuit Information


DirecTV article by Kevin Poulsen
http://www.theregister.co.uk/content/archive/30393.html

www.legal-rights.org

23
Finding Vulnerable Systems

Internet Search Engines


New sites directory listing
Searching for vulnerable site criteria (example:
Instant or Immediate Activation / Paypal Use /
Subscriptions )
Selfseek Web Search Spider (illumix.com)
Systems you use (or want to use) everyday.

Final Points
Very simple attacks
Common security oversight in newer sites
Hit and miss attack, more an annoyance
then a real problem to most retailers.
Victim system admin gets little sympathy
from law enforcement or colleagues.

Final Points
Sites vulnerable to ToS attacks are usually
vulnerable to other simple attacks.
Most likely effective on newer websites
that use a custom application or
misconfigured 3rd party product.
Theft of Service does not necessarily
mean there was a loss of revenue for the
company, had the attack not occurred.

24
Final Points
Depending upon attack, legal fraud is
not always committed (Its generally
considered the victims fault for not
taking basic security precautions.)
A company could be put out of
business within the time it takes them
to notice a vulnerability has been
discovered.

25

You might also like