Home
What Are Theft Of Service Attacks?
Contents
1. m Most likely effective on newer websites that use a custom application or misconfigured 3 party product TT hh hlCUCUteM Final Points Easy to perform Depending upon attack legal fraud is not always committed It s generally considered the victims fault for not taking basic security precautions A company could be put out of business with the time it takes them to notice a vulnerability has been discovered
2. Credit Card Required For Signup The 2 14 day free trial never expired The signup for the 14 day trial never ended IT Knowledge went out of business User s have full access to entire library for free normally costing 295 a year File Edit Yiew Favorites Tools Help Address ja http www ITknowledge com ITKNOWLEDGE COM Need IT Find IT Know IT Important Notice to Our Customers The ITKnowledge sites were shut down permanently on February 26 2001 The content from the sites has been taken off line and will not be made available on any other EarthWeb site lf you are interested in similar services you may want to look at http www books24x com http www informit com http www netlibrary com At this time we are processing refunds for outstanding subscriptions If you have any questions please email us at custsenice dice com Thank you for your patronage The ITKnowledge Team z pr 1 Mane ar Trtornat fa Teo a iy S a araa a4 A pe a ae PU IE EST T ER Slt eBay Seller Fee Avoidance Use of the non baying bidder form negates the eBay listing fees Refund system seems to be automated Buyer could be given a discount to not report fraud No incentive for buyer to report seller fraud when they are compensated by the buyer SES Software Theft With Paypal Depending upon implementation users are paying a fee to learn the value of the return HTML form vari
3. Theft Of Service Attacks Subscription Service amp Website Vulnerabilities E Theft Of Service Attacks Presented at Defcon 11 by Robert Sheehy rjs zendtech com Zendtech Services www zendtech com Presentation updates are available at http www zendtech com defcon11 tos What Are Theft Of Service Attacks Application Level Attack m Attacker Gains Increased Access To Restricted or Limited Resources Opportunistic Attack lypically does not result in system administration access SM Example Targets for TOS Attack Software Registrations amp Downloads Adult Web Sites Web Hosting Accounts m Proxy Anonymity Services Dial up Internet Service Email Usenet Service m Shell Accounts Financial News Services m Domain Name Registrations What Is Stolen Increase access to a service providers systems Shell Accounts Avoidance Of DNS Registration Fees Usenet Access Dial up Internet Access Web hosting for data piracy amp pornography storage e mail spamming ect Increased Access to restricted content Software tse security Holes Commonly Used for ToS attacks Instant Account Creation Vulnerabilities Subscription Data In HTML Forms Authentication data stored in user cookies Paypal Subscription Payments Application Server amp or Operation System specific vulnerability exploits SSS Obscuring The Attack Putting in the order durin
4. able Automated Key Return amp Paypal is often exploitable by changing the price m A legitimate but small payment is made for an order The system acknowledges payment but does verify the correct amount was paid Slee Software Theft With Paypal m View Page Source look for paypal URL https www paypal com cart add 1 amp business paypal 4Otinite tech com amp item_name IPSec Client Software amp item__ number ASL IPSEC CLIENT WIN amp amount 90 00 amp shipping 12 00 amp return http 3A www chillywall com success html amp cancel_return http 3A www chillywall com cancel html m return http www chillywall com success html Purchase Success Thank you for your purchase of ChillyWall and or our other security products If you purchased a ChillyWall this unit will ship to the address that was indicated on your order typically within 2 working days If you purchased Astaro Security Linux Software you can download the software here Your license will be e mailed to you within 2 working days You can proceed with your Astaro installation since the download is a 30 evaluation which can be activated for all features purchased when you enter your license If you purchased VPN Client software then the following links will provide you with the software and documentation software User Manual Release Notes SS Paypal Subscription Payments Purchase of the paypal guarantee May expose bugs in payment processing Va
5. ck Response Options Depends Upon nature of the attack How abusive was the attack Login Password is not really fraud Account Cancellation may be only option Fixing security whole may be only option Can the user be tracked down Will law enforcement care Will the publicity of the hack be worse then the hack itself Attack Response Options m Ignore The Attack Let all users continue discounted subscription Account Cancellation m Account Modification m Back Billing Recovering Losses Back Billing Customer m Involve Law Enforcement m Write off the loss Most often there is no way to recover losses Considered to be the victims fault for being a victim E DirecTV Theft Of Service m Thousands Of DirecTV Customers Sued Threatening Letter Intimidation Tactic Millions Have Been Paid Already To Settle No proof other then purchase records no proof of actual use E DirecTV Theft Of Service m Can They Do This m Will The Get Away With IT DirecTV Lawsuit Information m www legal rights org m http www legal rights org PAYPAL AFFIDAVIT html 2 hUMCUlt Final Points Very simple attacks m Security Oversights in newer sites Hit and miss attack more an annoyance then a real problem to most retailers m Victim system admin gets little sympathy from law enforcement or colleagues Final Points m Sites vulnerable to ToS attacks are usually vulnerable to other simple attacks
6. enting Form Alteration Method 1 Variable Change Detection CRC checksum of form variables Open to reverse engineering attacks Does not guarantee security just makes a possible attack more complex m Checking the HTTP Referrer URL Can be easily faked SSS Preventing Form Alteration Method 2 Not Using Form Variables m It s the right way Extra programming and complexity is required for the server to track user sessions security is not guaranteed systems could still be vulnerable to other forms of attack See Credit Card Payment Attack Possible Attacks Credit Card Fraud Price Alteration Avoiding Payment Subscription Term Extension Especially vulnerable when using hidden form inputs for payment parameters How To Spot ToS Attacks Audit existing orders subscriptions to verify subscription parameters have not been altered Do not trust what your custom application tells you it may be lie Look for sudden increases in system utilization Make sure whomever processes orders knows to verify the amount paid is the amount owed Detecting Credit Fraud m Have all order verified by human eyes Follow all security procedures from credit merchant How To Protect Against ToS Verify All Orders Manually Regularly Audit Account Activity Do not trust the security of your system automation Do not overlook accounting inconsistencies they may be indicators of fraud Atta
7. g a holiday weekend Backlog of orders from a long holiday weekend may result in less attention to order details Even if there is human review the attack might be overlooked during high sales volume Ch Who Is The Attacker m A Technically Savvy Customer A Competitor An e mail Soammer or other criminal Someone looking for a deal A legitimate customer s friend Theft of Service Attack Types Software Copy Protection Circumvention Abuse Of A Legitimate Account Bypassing the Billing System User defined changes to the subscription terms or price Copy Protection Circumvention Cracks amp Serial Number Websites owww astalavista box sk Cwww cracks am Cwww cerials net Cwww cracks wz Piracy Newsgroups on Usenet alt binaries cracks alt binaries warez 0 day alt binaries cd image SS Abuse of a Legitimate Account Choosing login password as your username passwd palir Makes remembering passwords much easier Allows for anonymous account sharing Makes the admin feel dumb when they find it Sl Abuse of a Legitimate Account Multiple Users of a single user account Easy to detect if the effort is made Normally results in account termination for Terms Of Service violation if detected a Account sharing is less likely to occur if the account exposes customer s data such as home address or credit card number Slee Bypassing The Billing System Cookie Poisoning Alter c
8. lacement from your bank with new numbers Repeat when new card arrives Sd Beating Safari s Security a Offline Explorer metaproducts com Used 2 8 1220 Service Release 1 during testing Demo version is usable Wget not successfully tested Gave up m Only One Open HTTP Connection Used 30 Second Delay between file retrieval Used the ISBN number as URL filter sortOrder asc amp view amp xmlid 0 7357 sortOrder asc amp view amp xmlid 0 596 Started at the bookshelf went 5 levels deep Sd Beating Safari s Security m Only One Open HTTP Connection Used m 30 Second Delay between file retrieval m Use the ISBN number for URL filter sortOrder asc amp view amp xmlid 0 735 7 sortOrder asc amp view amp xmlid 0 596 xmlid is the ISBN number of the book Start at the bookshelf go 5 levels deep Sd Beating Safari s Security Ihe idea of Digital Rights Management is unenforceable without causing major inconveniences to legitimate users DRM objectives conflicts with easy of use designs ITKnowledge com Offered 14 Day Trial Once per credit card similar to O Reilly Unsuccessful Attempt to stop offline archiving via login cookies Easily defeated m Subscribers received complete access to entire library ITKnowledge com Created Their Own Security Hole Sent e mail to previous subscribers who cancelled during the 14 day evaluation period offering another 14 day free trial No
9. lid only for physical items effects of purchase may not be tested in subscription system A legitimate but small payment is made The system acknowledges payment but does verify the correct amount was paid Just assumes it was lt form action hitps www paypal com cgi bin webscr method post gt lt input type hidden name cmd value _xclick subscriptions gt lt input type hidden name business value paypal zendtech com gt lt input type hidden name item_name value Web Hosting gt lt input type hidden name item_number value WebHost1 1 gt lt input type iImage src pics x click but20 gif border 0 name submit gt 295 00 lt input type hidden name a1 value 0 00 gt Setup Fee lt input type hidden name p1 value 2 gt Valid for 2 lt input type hidden name t1 value M gt Months lt input type hidden name a3 value 295 00 gt Re occurring Fee lt input type hidden name p3 value 1 gt Billed Once lt input type hidden name t3 value Y gt a year lt input type hidden name src value 1 gt lt input type hidden name sra value 1 gt lt form gt Slee Finding Vulnerable Systems m Internet Search Engines New sites directory listing Searching for vulnerable site criteria example Instant or Immediate Activation Paypal Use Subscriptions m Selfseek Web Search Spider illumix com Systems you use or want to use everyday SES Prev
10. ookie data to assume identity of a subscribing user Cookie Editor v1 5 a Available trom http Awww proxoft com CookieEditor asp WinHex a Ability to edit non persistent cookies in memory a Available from htip www sf soft de Bypassing The Billing System Free Trial Accounts Open to repeated use and abuse User is disqualified if they have previously used the same credit card or mail address for a previous free subscription Open to repeated credit card fraud especially if nothing is actually charged New credit cards with new numbers are also easy to obtain New Email addresses are easy to obtain Slee Bypassing The Billing System m Application Specific Attacks Bugs in the account signup process Account Verification pages that can be used to reactivate cancelled accounts Subscription amp Account Maintenance m Account Upgrade Downgrade may be open to attack while the initial subscription process is secure Subscription Specific Attacks m Alter subscription terms Premium Account at Basic Account Price a Yearly Account at monthly account price Attacking the re subscription process Attacking user verification pages Subscribe to a yearly account 24 hours later cancel the account Use verify page to reactivate account Sh HTM Form Alteration Attacks For GET forms change URL parameters For POST forms view the HTML source and change the value of the Hidden input ty
11. pes a type hidden OR type hidden char is optional Oh HTM Form Alteration Attacks For GET forms change URL parameters http website com script cgi var1 value1 amp var2 value2 m For POST forms view the HTML source in text editor change the value of the hidden input types lt input type hidden name price value 19 95 gt HTTP_REFERER m Used to validate that form was loaded from proper domain m EASY TO DEFEAT HTTP REFERER variable used to flag Suspicious orders for further human review Just because HTTP REFER is wrong does not mean the order is fraudulent HTTP_REFER faking method 1 m Place edited HTML form source onto web server m Change hosts file to map expected domain name to the new server Load the Page using the proper URL m Remove hosts file entry m Wait for DNS cache to expire or flush the cache then submit altered form to the target site HTTP_REFER faking method 2 Method utilizes browser proxy Support Edit hosts file as in method 1 Load altered page from your web server Enter proxy server information m Submit Form m Proxy will not use hosts information and will send altered form data with a faked HTTP REFER Automatic Form Submission Using the lynx and echo commands echo email first last somehwere com amp username username amp password tmp passwd amp amp passconfirm tmp passwd Submit Submi
12. t n n lynx post data http somesite com form cgi a Quotes Are Important because of amp Characters a Pipe echo command output to lynx UCU Combination Of Attacks m Change subscription period from monthly to a yearly subscription Change the subscription options to buy a premium account at the basic price m Transaction will look normal on casual inspection of the billing records ee O Reilly s Safari Bookshelf Security m System tries to enforce a No Offline Archiving policy detailed in their Terms Of Service Agreement hree strikes your out if the system detects massive downloading Session Limit One login allowed Cookie Based session tracking Restriction On Library Access Can only select X number of titles for access X varies with subscription type Beating Safari s Security Books must be kept on bookshelf for 30 days Does not matter if you cancel the account every month Just create a brand new account every month a f reusing a credit card you will not have any waiting time for bookshelf slots to open If using a new card you get a new 14 day trial Beating Safari s Security Free Trial Account Abuse Bypass Billing Get a new e mail address Sign Up for 14 day trial with a new CC Pick the books to fill your 10 bookshelf slots Use Offline Explorer to make an offline copy Cancel the account before the trial expires Cancel CC Get a rep
Download Pdf Manuals
Related Search
Related Contents
Référentiel des lieux des ateliers, temps de WJ-HD716K/G - Psn Rapport final EcCoGen - MAP-ARIA American Standard 1660.2 User's Manual ボウフレーム - 村中医療器 Manuel d`utilisation d`Unitex - Institut d`électronique et d`informatique MODE D`EMPLOI CARTE M`RA 水質調査 Copyright © All rights reserved.
Failed to retrieve file