Books

Books

28 December 2007

Akaun email GMail yang digodam dan domain yang ditukar


Sesiapa yang ada email GMail pastikan di bahagian 'settings' dan kemudian --> di bahagian 'Filters' dan 'Forwarding and POP/IMAP' tidak terdapat sebarang penambahan yang tidak anda pernah lakukan. Jika tidak terjadi seperti pengguna di bawah ini yang domainnya telah dihijack.



Jika terdapat sebarang perubahan sila pastikan anda menukar semua password atau apa sahaja dokumen penting yang perlu dilakukan. Walau bagaimanapun masalah ini telah dibaiki oleh pihak Google. Cuma pastikan email anda telah betul-betul bebas.

************************************************

Gmail Hacked! Check your Gmail filters now!

David Airey has lost his domain after his Gmail account was hacked by a hacker. But how did the criminal can take down David’s domain? You can read the full story here but if you want to know how the attacker did it, please read on.

First, the victim login to his Gmail account as normal. Then he visit to a website which contains a script that exploiting the vulnerability in Gmail. This script will create a new filter in the victim’s email. Like in the example above, the script creates a filter that will forward any email that has attachment to collect@evil.com.
But how about if the filter is set to forward all incoming emails to the attacker email? Do you will happy losing all your secret and passwords to the attacker? Of course you are not.
I have checked my filter settings in Gmail. Know what? There is a filter that forward incoming emails to *@colmac.com. I was shocked and removed it immediately. I do not know since when the filter was added and how many emails the guy at colmac.com had read. I hope they are happy what they are doing.
If you using Gmail, check your Gmail filters now. Who knows, maybe you are lucky and get strange filters in your Gmail settings. However, Google has fixed this problem but you are still be advised to check your filter settings.
************************************************

WARNING: Google’s GMail security failure leaves my business sabotaged


GMail hacked
What would you do if a criminal stole something very personal, and very valuable from you?
What if they were able to target your business and criple your income?
You wouldn’t be too happy now, would you?
What if you also discovered that this was happening because of a Google security infection that can affect every GMail user on the planet?
That’s what has just happened to me, and here I’m going to tell you my story. I will detail everything I know about the web pirates who are threatening my livelihood, and tell you what you need to know in order to avoid the same thing happening to you.
On November 20th 2007 I left the UK to spend a month’s holiday in India. I’d been planning this break for over a year, and was looking forward to taking my girlfriend away on our first foreign trip together. Prior to leaving, I published a blog post to let my readers know I’d be away for a while, and that my blog would be a quiet place in my absence.
All my clients were informed, bills paid, loose ends tied up, and off I went on a new adventure.
I arrived in Mumbai on November 21st, and on the journey from the airport to the Colaba district, was punched in the face by an Indian youth, but that’s another story.

During the month ahead, I knew I’d be irregularly checking my emails, but only to let my loved ones know everything was fine. This holiday was to be a break from work, and a break from computers.
Indeed everything was fine for a few weeks, until December 15th (five days before I was due to return from holiday). I called into an internet caf� in Goa, and read some worrying emails from good friends of mine. I was informed that my website had disappeared, and that my domain name (www.davidairey.com) was now redirecting to some random website - bebu.net.
I was confused, and anxious. How could this happen? I hadn’t received any notification of my domain name expiry, and I never divulge any passwords to anyone. The only possible explanation for me was that somehow, the domain name had expired without me receiving any notice, and that some domain poacher had snapped it up before I got a chance to renew.
My website had been pulling in over 2,000 unique daily visits. Not a massive amount by any stretch of the imagination, but for a one-man operation, 700,000+ annual visitors can generate a nice amount of new logo design business.
So I ran a WHOIS check on davidairey.com, hoping to find an email address for the new owner. The search yielded this email address: DAVIDAIREY.COM@domainsbyproxy.com and here’s the email I sent:
Hello,
Please can I purchase my old domain name from you. It seems it expired without my knowledge.
www.davidairey.com
Kind regards,
David
I found it hard to believe that I’d let my domain name expire, but thought it a good idea to send an email nonetheless.
On the very same day, I received a reply. It came from one supposed Peyam Irvani, telling me the following:
Hello,
Please send me your high offer !
Regards
By this stage, I’d already had some back and forth email discussions with close friends, wondering what exactly could have happened. I also contacted my web host company, ICDSoft, asking them to help. They were the ones who sold me the domain name after all. Shouldn’t they have informed me?
This is when I found a disturbing support ticket, posted in my web host support panel. It was supposedly from me, addressed to ICDSoft’s support team, and was created on November 20th, the exact date of my departure from the UK. It read the following:
Subject: Davidairey.com Transfer
Hello,
I want to transfer davidairey.com to another registrar please unlock it and send me the EPP transfer code.
Kind regards,
David
Within just one minute (ICDSoft’s support team are very fast) the following response had been supplied:
Hello,
We unlocked your domain name as requested. Here is its EPP code:
Domain name: davidairey.com
Auth/EPP key: 6835892AE0087D66
Best Regards,
Support
I immediately typed a reply to this ticket, asking for help, and wanting to know what I could do to resolve the situation. Here’s what I was told by the support team:
Unfortunately, the domain name has been transferred successfully, and it cannot be reverted. The current registrar may be able to give you more information.
The original ticket message was sent from this IP address: 207.36.162.100
The person who posted it must have had access to your email, too, because transfers have to be approved by the administrative contact in order to be successful.
What? Not only did the hacker gain access to my web host control panel, but they also squirmed their way into my email account? This is when I began to get very worried. I kept a lot of personal emails behind my username and password, and this was a real invasion of privacy. For a few minutes I sat in the net caf�, my girlfriend beside me, and I didn’t know what to think.
I sent an email to GoDaddy, where my domain had been illegally transferred to, and asked them to prevent any further transfers. I wanted the domain in one place whilst I investigated. Here’s what GoDaddy said:
Unfortunately if a transfer request is made and completed we will not be able to prevent this unless we receive the notice from a court or arbitration forum… I apologize for any inconvenience this may cause.
Okay, so GoDaddy can’t help until the matter is taken to court.
This whole process ran over a few days of my holiday, as GoDaddy took over 48 hours to respond. At this point, and on December 19th (four days after my first email to the web pirate, ‘Peyam’), I thought I’d send a reply, and here’s what I said:
Hello Peyam,
Well, congrats on your hack. I’d love to know how you did it.
Before this moves through the courts, in order to settle the dispute, I don’t suppose you’d be so kind to give me my domain back? It’d really save me a lot of hassle, but if that’s what it takes, so be it.
I saw no point in being aggressive, wishing to keep them ‘on-side’ as much as possible.
Again, that same day, I received a response:
:))
Im sorry to say but its not possible to have it or it take about 1 month if you try hard to have it again :)) and you lose your visitor ….hahaha
You can purchase it for 650 $ And we will use escrow sevices ;) that will done in less than 2 days !
Now my domain name was being held to ransom, and the hacker was taunting me. What I had spent more than a year building into a sound marketing plan had been severed at the knees.
I’m not the type of person who will hand any money over to a criminal, so I didn’t reply, instead focusing on stopping this hacker from stealing any more of my property.

How was I being hacked?

After a little research, I found this expos� into Google’s GMail defficiences: Google GMail E-mail Hijack Technique
It details the exact GMail hijack that I have just found applied to my account (right whilst writing this blog post).
Here’s an excerpt:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim�s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
And here’s a three step illustration of just how this threat works (click each image for a larger version):
GMail security threat
GMail security threat
GMail security threat
Images courtesy of GNUCITIZEN
I took a look at the ‘Filter’ option in my own GMail settings, and it turns out that you can easily set incoming emails containing specific words to be forwarded automatically. For example, if you want any emails containing the word password to be sent to another address, no problem. It also appears that the Filter can delete the email from your GMail inbox as soon as it has been forwarded, so you’d be none the wiser if a hacker was playing havoc with your incoming mail.
IMPORTANT: If you use GMail, it’s absolutely vital that you check your account settings now.
Here’s what to do:
When logged into GMail, click on the ’settings’ tab in the upper right of the screen. Then check both the ‘Filters’ and the ‘Forwarding and POP’ sections. This is what I only just found in my ‘Filters’ tab:
The following filters are applied to all incoming mail:
Matches: transfer-approval.com
Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it
Matches: from:(transfer-approval.com)
Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it
I have absolutely no idea who’s email address that is, but it seems to me that some of my personal emails were bypassing my inbox entirely, instead being forwarded to the yahoo.com address.
It appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail account.

What do I know about the hacker stealing my property?

I have a GMail address, pay.irv@gmail.com, and what’s possibly some fictitious name, Peyam Irvani.
There’s also the Yahoo email address, ba_marame_pooli@yahoo.com, where my emails were being forwarded to through the malicious Filter.
ICDSoft provided me with the IP address from where the fraudulent support ticket originated (207.36.162.100), and it’s possible to search for it’s physical location using a free online IP address locator. I’d never used one before, but gave it a shot…
According to IP Global Positioning, the IP is in the United States. Fort Lauderdale, Florida, to be more precise, and the Internet Service Provider is known as Cybergate INC (based in Mississippi, USA).
I’m not entirely sure just how much this information can help me, if at all, but I thought it might be useful.
A little unexpectedly, I received a third email from ‘Peyam’ on December 21st, saying:
Helli David,
We can use escrow and you can have your domain name again :)
Only for 250 $ !
Do you want it ?!
Its special christmas offer ! haha
I like to see you have that domain name again :)
I don’t care if it costs $0.02. I won’t give my money to a criminal.
You might be wondering what I did to ressurect my website from oblivion. You’re reading this post after all. Before the theft, I had both davidairey.com and davidairey.co.uk, with the .co.uk permanently redirecting to the .com (I felt it would make more business sense to use the .com as my main address due to its ease of memorability.
I’m now using www.davidairey.co.uk domain as my main address. What does this mean? It means that all my organic search results are reset to zero. Whereas once I was on the first page of search results for logo designer, I’m now nowhere to be found.
It also means that my business cards are now incorrect, and my email addresses too. Quite an expense, but I’d rather fight in the courts than give one penny to the person who did this.
During the site move, I found to my detriment that I was linking to my blog images entirely the wrong way. I had been uploading my picture files to a subdomain (blog.davidairey.com/images) then placing them inside my blog posts from there. This meant that whenever the domain name changed to davidairey.co.uk, so did that subdomain. It now became blog.davidairey.co.uk/images. Therefore, my site was missing every single image I’d ever added.
In order to fix this, I moved all the picture files to a new folder, in the root directory at davidairey.co.uk/images. Now, when I insert an image into a blog post, I don’t use the full URI, but cut the address to it’s bare minimum, like so: img src=”/images/example_filename.jpg”
This means that should I ever re-change my domain name, back to the .com for instance, the images will automatically pull whatever domain name I’m using, without the need for a change.
I’m now also using this technique for internal hyperlinks. Rather than linking to my contact page like so: “http://www.davidairey.co.uk/contact”, I’ll simply use “/contact”.
Much better, and uses less code too.

Where can I get help with domain name disputes?

This is the stage I’m at now, weighing up my options before it comes to paying legal fees. This is also where I’m calling on your valued help. I know that many of you are much more clued up on this than I am, and if you can spare some advice in the comments here I’d be very appreciative.
In my email communications with GoDaddy (the company where my .com domain name is now registered), a representative had this to say:
Should we receive notice of a pending dispute from a court or arbitration forum, we will lock the domain name so it cannot be transferred or have the registrant information modified. Likewise, when we receive a decision from the legal body, we will update the domain name accordingly.
They then directed me to the WIPO (World Intellectual Property Organization, domain.disputes@wipo.int).
So I looked into this organisation’s website, and in particular, the section on domain name dispute resolution resources.
There’s a FAQ section which provides information on a number of items, including the following:
To cut a long story short, it seems I have to pay a minimum of $1500 for the pleasure of initiating a court case. All fees are listed here.
As for how long the process lasts, this information isn’t very obvious on the WIPO website, so at present I’m unsure.

What should I do?

From what I understand, the only option is to proceed with legal action (again, I’m not paying the thief one penny).
  • Do you know any different?
  • Do I have a good case to proceed with?
  • Is there any other information available online about the pirate who is blackmailing me?
If you can provide any of these answers, it would mean a lot.

Thank you

Thank you so much to those of you who kindly emailed me at the start of this situation: Vivien, Ben, Tammy, Armen, Dawud, Ed and Jamie. I know that more of you tried, but that I didn’t receive your emails because my accounts no longer existed.
Thank you also, to everyone who is lending their support in the comments of my previous blog post, David Airey.com hacked. Many of you have also published my news on your own blogs, and this really lifts my spirits, showing just how great the people in the blog world are:
Here’s a sampling of your kind help:
It truly is fantastic that you’d go to this effort, and if there’s anything I can do in return, do let me
know.
UPDATE: My domain name has been returned! You can read how in this follow-up blog article, posted here on my site on December 27th.


************************************************

Google Vulnerability

Yesterday, I found a new Google.com XSS vulnerability that can be abused to steal information from Gmail accounts, I've done responsible disclosure of at least 3 vulns to Google, but since I haven't got enough 'motivation', I'll go full disclosure now.
The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The 'font' parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE's expression() and Mozilla's -moz-binding. They fixed it, however they didn't check enough the rest of the code, the new XSS is:
Simple XSS POC
Since its Sunday and there is nothing else to do, I've created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.
POC1: http://beford.org/stuff/contacts.htm
POC2: http://beford.org/stuff/gmail.htm

I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If
you want to be protected against this kind of attacks, I'd highly recommend Firefox +
NoScript.

Update: Google fixed this issue, I'd like to ask the people that looked at the second poc to disable forwarding if you have not done so, I'm still getting ton of email. This screenshot shows how to disable forwarding.
gmail.png




Rujukan:
http://www.davidairey.co.uk/google-gmail-security-hijack/
http://blog.beford.org/?p=3
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
http://www.flairpair.com/blog/security-privacy/gmail-xss-exploit

No comments: