Werx Limited

Bait and Switch: An iOS Phishing Scam Using the iTunes Terms of Service

Jan 23

Posted by rbailey in graphics design, security | No Comments

[Guest post by Ryan Bailey]

Earlier this year roughly 50,000 stolen iTunes accounts were posted to a Chinese online auction site with prices ranging from 15 cents to $30 each. Many forms of attacks can be leveraged in acquiring passwords such as these through covert means, but almost none provide such a straightforward plan of attack like Phishing. Phishing, like many other forms of modern day email spam, is a form of social engineering aimed at acquiring sensitive information by attempting to fool users into freely surrendering passwords, credit card information or other potentially valuable information. Most current day attacks come in the form of an email seeking users to verify their account or billing details. These social engineering attempts often utilize pixel perfect facsimiles of websites or newsletters in order to gain a user’s trust. That’s where this phishing proof of concept gets its cue.

The Pitch
The first step of the attack comes in the form of utilizing a botnet to send out a fake news article using the default styles of a legitimate shared article. These emails often use minimal styling and shortened URLs making a fake shared story almost impossible to distinguish from a real one.

The Hook
The user is then taken to a fake mobile version of the news article where the user is able to browse the page as they normally would. The only clue to the fake at this point is the URL in the address bar which can easily be spoofed with either a shortened URL or a misspelled domain name.

The Bait
After a certain amount of time, an iOS alert pops up to inform the user that the iTunes Terms of Service has changed. Normally users are only prompted to accept changes after attempting a download from the iTunes store. But as anyone who has owned an iPhone will attest to, these changes often stand in the way of desired actions and often are accepted without a second thought. By delaying the bait until after the user has begun to read the article, it stands to reason the users will simply accept the thought of accepting the new Terms of Service without second thought.

The Switch
The users, after having clicked through to accept the changes, are taken to a facsimile iTunes Store Terms of Service page where users are given bogus information about the update they are about to agree to. This view of removing the standard Safari title bar is easily accomplished through several frameworks designed to perfectly mimic the iOS user interface.

The Payoff

The user scroll to the bottom of the fake Terms of Service to the realistic “Accept” button where upon clicking pops up a copy of the iOS Username and Password Prompt. After entering their username and tapping the “OK” button, the user can be forwarded back to the article being none the wiser to their personal information now being in the hands of the highest bidder.

Conclusion

This exploit brings up the interesting thought of educating users to how interfaces conduct their primary routines. Potentially, the only way the users could be warned of the fact that this is a scam would be through the fact that iTunes never asks for users to accept a Terms of Service update through a Safari window. This proof of concept was done in only a few hours but could easily be made almost undetectable through the use of an app slipping through the approval process at Apple or just even more advanced and malicious Javascript and CSS. While this was simply a harmless proof of concept, this could easily be put into the wild and start showing up in spam messages almost overnight.

View the proof of concept here.

Share/Save

Tags: malware, mobile, proof of concept, security

node.js at Facebook

Jan 23

Posted by wes in it industry, javascript | No Comments

Slides

Share/Save

Tags: facebook, javascript, node.js, scale

Simple init.d script template

Jan 5

Posted by wes in bash, hosting | No Comments

Recently I found the need to create an init.d script and since I had a hard time finding an example elsewhere¹, here’s the overly simple script I came up with to get the job done:

#!/bin/bash
# myapp daemon
# chkconfig: 345 20 80
# description: myapp daemon
# processname: myapp

DAEMON_PATH="/home/wes/Development/projects/myapp"

DAEMON=myapp
DAEMONOPTS="-my opts"

NAME=myapp
DESC="My daemon description"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

case "$1" in
start)
	printf "%-50s" "Starting $NAME..."
	cd $DAEMON_PATH
	PID=`$DAEMON $DAEMONOPTS > /dev/null 2>&1 & echo $!`
	#echo "Saving PID" $PID " to " $PIDFILE
        if [ -z $PID ]; then
            printf "%s\n" "Fail"
        else
            echo $PID > $PIDFILE
            printf "%s\n" "Ok"
        fi
;;
status)
        printf "%-50s" "Checking $NAME..."
        if [ -f $PIDFILE ]; then
            PID=`cat $PIDFILE`
            if [ -z `ps axf | grep 5003 | grep -v grep` ]; then
                printf "%s\n" "Process dead but pidfile exists"
            else
                echo "Running"
            fi
        else
            printf "%s\n" "Service not running"
        fi
;;
stop)
        printf "%-50s" "Stopping $NAME"
            PID=`cat $PIDFILE`
            cd $DAEMON_PATH
        if [ -f $PIDFILE ]; then
            kill -HUP $PID
            printf "%s\n" "Ok"
            rm -rf $PIDFILE
        else
            printf "%s\n" "pidfile not found"
        fi
;;

restart)
  	$0 stop
  	$0 start
;;

*)
        echo "Usage: $0 {status|start|stop|restart}"
        exit 1
esac

This script will work in /etc/init.d on Xubuntu 11.10 (so most Debian-based systems) and CentOS 5.5 and you can control it via chkconfig.

That said, if you know of such an example I’d love to hear from you. [↩]

Share/Save

Tags: administration, daemon, init.d, script, startup, system

Hollywood vs the internet

Nov 16

Posted by wes in it industry | No Comments

[HT Forbes]

PROTECT IP Act Breaks The Internet from Fight for the Future on Vimeo.

Share/Save

Tags: censorship, copyright, intellectual property

Fun with jsonselect

Nov 16

Posted by wes in javascript | No Comments

One of the strengths of CSS and jQuery is that it provides a common and powerful mechanism known as a selector language for referencing bits of data, especially data whose structure is not exactly known at runtime which makes such an addressing scheme a perfect fit for the often lumpy world of HTML.

Increasingly JSON is being used as a transport medium for data and with the rise of NoSQL solutions, having a selector language for JSON makes a lot of sense when dealing with JSON documents whose structure isn’t deterministic.

JSONSelect provides a good implementation of just such a JSON selector language but after working with it on a project I found myself needing to do more than it allowed me to do. Namely, I wanted 1. to be able to perform a selection and receive matching paths instead of the data contained in those paths and I wanted 2. to be able to modify data specified at a path location in-place.

jsonselect.match(sel, obj, asPath); // Added the asPath flag to return a path instead of the values
jsonselect.forEach(sel, obj, fun, asPath); // Added the same flag to forEach, I use this to
jsonselect.get(path,obj); // For getting the value using a path
jsonselect.set(path, value, obj); // For setting the value of a path
jsonselect.del(path,root); // For deleting a path

Here is my modified version of jsonselect in case anyone needs help solving the same problems I mentioned above.

Share/Save

Tags: css, json, jsonselect, noschema, selector

Finding yesterday’s beginning and ending unix timestamp

Aug 25

Posted by wes in python | No Comments

When writing reports I’ve often come across the need to find the unix timestamp beginning and end of a day. Here is a Python snippet that does just that.

yesterday = datetime.datetime.now() - datetime.timedelta(days = 1)
yesterday_beginning = datetime.datetime(yesterday.year, yesterday.month, yesterday.day,0,0,0,0)
yesterday_beginning_time = int(time.mktime(yesterday_beginning.timetuple()))
yesterday_end = datetime.datetime(yesterday.year, yesterday.month, yesterday.day,23,59,59,999)
yesterday_end_time = int(time.mktime(yesterday_end.timetuple()))

print yesterday_beginning_time
print yesterday_end_time

Share/Save

Tags: data, data management, database, reports

MongoDB script to check the status of background index builds

Aug 21

Posted by wes in hosting | No Comments

Here is a simple script I’ve found to be quite helpful for monitoring the status of background index builds across shards on a system:

var currentOps = db.currentOp();

if(!currentOps.inprog || currentOps.inprog.length < 1) {
    print("No operations in progress");
} else {
    for(o in currentOps.inprog) {
        var op = currentOps.inprog[o];
        if(op.msg && op.msg.match(/bg index build/)) {
            print(op.opid+' - '+op.msg);
        }
    }
}

Here's the output:

$ mongo mycluster:30000/mydb bgIndexBuildStatus.js
MongoDB shell version: 1.8.1
connecting to: mycluster:30000/mydb
shard0000:343812263 - bg index build 122042652/165365928 73%
shard0001:355224633 - bg index build 111732254/165568168 67%

Share/Save

Tags: administration, background, big data, mongodb, nosql