The analysis of a recent targeted attack against webmail users has led Trend Micro researchers to discover a vulnerability in Microsoft's Hotmail webmail service that allowed attackers to siphon contact details and email messages from the victims' accounts.
To trigger the attack, the victim wasn't required to click on a link or download and execute an attachment - simply opening the message would do the trick and a script embedded in the email would automatically be executed.
The script would then connect to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.
"The nature of the said URL strongly suggests that the attack is targeted," say the researchers. "The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and{number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.
This second script takes advantage of a script or a CSS filtering mechanism flaw present in Hotmail to send out a request to the server that makes it forward all the stored emails to a predefined email address belonging to the attackers.
The good news is that once the user logs out (i.e. terminates the session) the email forwarding stops. Another good news is that Microsoft has been apprised of the situation and has already implemented a patch for the flaw.
To trigger the attack, the victim wasn't required to click on a link or download and execute an attachment - simply opening the message would do the trick and a script embedded in the email would automatically be executed.
The script would then connect to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.
"The nature of the said URL strongly suggests that the attack is targeted," say the researchers. "The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and{number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.
This second script takes advantage of a script or a CSS filtering mechanism flaw present in Hotmail to send out a request to the server that makes it forward all the stored emails to a predefined email address belonging to the attackers.
The good news is that once the user logs out (i.e. terminates the session) the email forwarding stops. Another good news is that Microsoft has been apprised of the situation and has already implemented a patch for the flaw.
No comments:
Post a Comment