“ChaO” (Cagatay Evyapan) was well-known in the underground carding community.  Watch the footage below, you will be very impressed how this fraudster converted his villa into a high profile ATM skimming device production factory.

ChaO’s fraud devices in action:

The attached skimming device copies all 3 tracks from the magnetic stripe of a credit/debit card, the keypad captures the PIN.  After is really easy for the fraudster to copy all collected info to  ISO 7812 blank cards  and eventually be able to cash out the money.

His hacking tips are the following (did not prove to be the best tips in his case):

* don’t install a skimmer in the morning, because people are more vigilant then;
* determine where a person would have to stand to keep an eye on everything happening on that block;
* avoid blocks where more than 250 people per day walk through, because of the danger of detection;
* don’t install skimmers in towns with fewer than 15,000 people, because people in those towns know what their ATMs look like;
* avoid areas with small shops open 24 hours a day, because there may be surveillance cameras and vigilant shopkeepers;
* don’t set up in areas where a lot of illegal immigrants live;
* places with a lot of tourist traffic are good;
* look for affluent neighborhoods and drive-through ATMs;
* ATMs near cash-only bars are a good bet for lots of customer activity.

buckinghamcounty.virginia.gov – IIS5.0 on Win 2000 – Defaced by a Turkish cracker. Possibly he successfully exploited the FrontPage extensions misconfiguration vulnerability. He added his e-mail address. Of course if you contact him to ask what was the method used to deface, most probably he is going to reply that was a 0day vulnerability. What a stupid thing to do (add contact details). I am not going to explain why. He should work his own mind. I’m sure that at some point he is going to check this blog post because his nickname (UyuSsman) will be soon enough indexed in search engines…

genome.nasa.gov/delivery/affy-C2wPDrGz – Apache on Linux – Defaced by an Algerian cracker. Exploited an open door left in a web application. It is NASA! Automatically becomes teh uber h4x0r. LOL. Worths admiring l33t skills that even my grandma could use.

williamsburgva.gov/uk/4ever.htm – IIS6.0 on Win 2003 – Another deface by a Turkish cracker. You can contact him via MSN, just add turkishmember@yahoo.com.br!!! Obviously he is collaborating with Brazilian defacers. Without collaboration he wont be able to climb his way up on Zone-H’s hall of shame board for special defacements.

cncsoig.gov/cum.htm – IIS6.0 on Win 2003 – Defaced by a cracker from Panama. Silly him, named the defaced page “cum.htm”. Notice to how many people sends greets. You can find him at irc.GigaChat.net [Now down for some reason] #core-project, #whackerz, #Xtech, #Segfault – where all the l33t peeps are idling and privately exchanging messages about their achievements. In this defacement there is a reference to the recent arrest of four Chilean crackers who were members of the “Byond Hackers Team”. Most probably the defaced page was influenced from watching too many h4x0r movies! h0h0.

dialog.cancer.gov – IIS5.0 on Win 2000 – Defaced by crackers from the Dominican Republic. They seem to know how to exploit basic SQL injection vulnerabilities. They just defaced the page with the message “D.O.M TEAM 2007 === xarnuz === “. No specific reason for their deface. Just for fun I guess. Surely showing off their team and nicknames to the defacers underground community.

ncilistens.cancer.gov – IIS5.0 on Win 2000 – Defaced by Brazilian crackers. Exploited an SQL injection vulnerability to add “Hacked by AciDmuD – RitualistaS GrouP”. They also added a contact e-mail address.

cncsig.gov – IIS6.0 on Win 2003 – Defaced by Brazilian crackers. Funny thing they call their team “linuXploit_crew”. That means they exploit Linux boxes as well. OMG! Those guys must be uber-l33t0r. So ultimate respect for them. They support that hacking is not a crime. I certainly agree, but what they did is not hacking but cracking, and this is illegal aka a crime.

whitecounty-il.gov/index.html Win 2003
woolwichnj.gov – Apache on Linux – Defaced by Brazilian crackers. Possibly exploited a PHP inclusion vulnerability, called a remote command shell script, checked with “uname -a” that the kernel is vulnerable to a local root exploit, run wget to download a backdoor to a writable directory, run the backdoor, telneted to the specific backdoor port, run wget to download h00lyshit or prctl local root kernel exploits, tested successfully one of the local root exploits, got root, owned the web server. They didn’t even spell right the word “owned” in the defaced page. Quite possibly, maybe they even tried to deceive by changing the kernel version in the defaced page. They would look more l33t that way: “2.6.16-1.2111_FC5smp #1 SMP Thu May 4 21:35:09 EDT 2006 “.

armenia.ca.gov – Apache on Linux – Defaced by a cracker from Saudi Arabia. This guy seems to know who he is, not a hacker, but a “R00T Cracker”. ROFL! Even that, maybe he is lying. Could be a “UID=APACHE Cracker”. You can contact him “For Mor Security” at S4curity@HotMail.Com and Admin@611.Com. This cracker used the same exploitation methodology as the Brazilian group above. No further commentary for this deface…

arb.ca.gov/research – Apache on Linux – Defaced by crackers from Brazil.

Concluding this commentary, all of the above defacements were a result of the following security vulnerabilities which were already known – some for many years now.

- SQL injections (programming mistake)

- PHP inclusion (programming mistake)

- FrontPage Extensions (misconfiguration)

Windows or Unix with enabled FrontPage extensions could be vulnerable due to misconfiguration. If vulnerable, open the target domain or ip as web folder and you are in its webroot. It is very possible that you have write access. What if such misconfiguration exists in a web server which hosts thousand of sites and supports server side languages as ASP and PHP? Attackers can upload scripts which allow them to mass deface in few seconds all the hosted sites, run backdoors, download confidential data if any, use server as part of their botnet and erase all the log files. The best solution is to totally disable FrontPage extensions.

Read this text for more detailed information about web folders and FrontPage extensions.

- Microsoft Data Access Internet Publishing Provider DAV 1.1 and mod_dav (misconfiguration)

Attackers can import a list of high-profiled domains and check against if they allow PUT requests. Using the PoC for this vuln, they can PUT /theirdeface.htm to the webroot of the vulnerable domains. They can even PUT /ntdaddy.asp or other shorter in size web administration scripts in order to grant complete access to the web server. Also Linux web servers with mod_dav could be vulnerable.

The sysadmins, webmasters and web developers surely learnt their lesson. It is always the human factor to blame first for any occurrence of security breaches.

Quite ironic that gov systems are consistently attacked by confused script-kiddies. After all for them is just “show off” game.

More U.S. governmental defacements submitted to Zone-H by the crackers:

DigitalMind woolwichnj.gov Linux
ArREs vil.prentice.wi.gov Linux
S4udi-S3curity-T3rror armenia.ca.gov Linux
Apocalypse cncsoig.gov/cum.htm Win 2003
D.O.M dialog.cancer.gov Win 2000
RitualistaS ncilistens.cancer.gov Win 2000
linuXploit_crew cncsig.gov Win 2003
Kript3X bowmar.gov/hacked.htm Win 2003
soyletmez https://sc-isac.sc.gov Win 2003
SegmentationFault ops.sgp.arm.gov Win 2000
SegmentationFault nevadatreasurer.gov Win 2000
SuZuki commerce.idaho.gov Win 2003
SuZuki community.idaho.gov Win 2003
XTech Inc lmhc.la.gov Win 2003
XTech Inc lmhc.louisiana.gov Win 2003
Phantom Orchid cstx.gov/home Win 2000
BiyoSecurityTeam roundrocktexas.gov Win 2003
S4t4n1c_s0uls csac.ca.gov/doc.asp Win 2003
RootDamages vacsp.gov/news.cfm Win 2003
beyrut-KaI3uS vivote.gov Win 2003
PowerDream leesburgva.gov/pwd.htm Win 2003
SuZuki remember.gov Win 2000
S4udi-S3curity-T3rror armenia.usaid.gov Linux
sinaritx doe.nv.gov Win 2003
s@bun secure.sc.gov//LexSheriff Win 2003
W4n73d_H4ck3r senegal.usaid.gov Win 2000
DigitalMind seagrantdev.noaa.gov Linux
W4n73d_H4ck3r admin.fmcs.gov Win 2003
W4n73d_H4ck3r fmcs.gov Win 2003
DigitalMind seagrantdev.noaa.gov Win 2000
DigitalMind seagrantdev.noaa.gov Win 2000

and many other that we don’t know about…

View the mirrors of the defaced sites on Zone-H and if you want add a comment below:
http://old.zone-h.org/en/defacements/special/filter/filter_domain=gov

Clearly they “promoted” themselves to the script kiddies scene with a “wannabe an elite defacer, thats why I deface .gov/s and publish them on Zone-H” attitude. Of course they will never admit to this and continue to feed their bogus pride until is jail time!!

Nuff said.

Full name:
Handle:
Nationality:
Security projects participated/currently participating:
Programming knowledge:
Certifications if any:

Thank you,
d1m

This release implements DNS queries against multiple DNS servers, a more efficient threading algorithm and some minor bug fixes.

Quoting from the tool’s official website:

TXDNS main goal is to expose a domain namespace trough a number of techniques:

-Typos
-TLD rotation
-Dictionary attack
-Brute force

TXDNS may be used to:

- Fill the reconnaiscence gap left due to DNS servers hardening, as dns-zone transfers are much like to fail.
- Dig a given domain name for possible phishing variations based on common well-known typo algorithms and return dns queries on both used and not used names.
- Stress-test DNS servers due is configurable aggressive behaviour.

TXDNS provides some cool options, such as:

- Perform queries only for a given Resource Record type:
A, CNAME, HINFO, NS, TXT & SOA
- Perform non-recursive queries.
- Perform queries against a given DNS server.

Read more about the latest version.

Download TXDNS v2.1.5

It is multi threaded and can audit more than one system and account in a given session.

Download SSHatter-0.2

Almost everyday I visit Zone-H’s archive of special digital attacks, I find that at least 1 or 2 attacks were done against US governmental web servers. The domain suffix of the defaced websites was *.gov. Does this fact means that they are totally secure? I don’t think so… Obviously the web servers may host very confidential data. In this case the web server administrators seemed to have allowed threats against governmental assets. Any unwanted consequences that a breach of security can lead to, are mainly caused by the irresponsibility and lazyness of system administrators and web developers.

The methodology for defacing a website is pretty standard. Here is the standard sequence of tasks that normally the crackers/defacers would follow: Footprinting, scanning, enumeration, penetration, attack, covering of tracks and installation of backdoors. As I mentioned before, the motivations for defacing any website are various, whereas when defacing governmental websites, could be a promotion of an ideology, revenge, or just a challenge.

I don’t believe that people who are serial website defacers hold good real-life jobs, or any job at all. This is just my personal opinion which is based on the fact that defacing is illegal in most countries – thus involving a high risk of getting arrested - and requires some basic knowledge, time, and patience. Advanced knowledge of technical and theoretical network security issues is not always required to deface. I think that understanding IT security theories, enhances intelligently your logical application of related practicalities. Achieving a deface could require the application of a complex exploitation methodology. This is enough reason to give up for some defacers without patience and with incomplete knowledge.

Tools assisting each step mentioned in the last paragraph are widely available for free on the internet. Most of the authors coded them for ethical, legal and educational use. Of course some were specifically coded for easily generating domain lists, exploiting security vulnerabilities, and mass-defacing websites. These are not easy to find on the web, nor are that difficult to code. Instead, individual defacers and groups exchange them in IRC channels, private forums  and servers, and through instant messengers.

One example of such an IRC server is irc.gigachat.net.

Script kiddies who deface, prefer to use fancy GUIs for tools rather than command line. Command line tools seem to exceed their learning and memory capabilities, or they don’t have the will and patience to research and analyze effective methodologies used by professionals in netsec pen-testing. They would be more technically skilled and better exercise their brain to remember simple and complex command sequences in multi-OS environments. Plus they would develop their practical skill-set which may be necessary if they choose to follow an IT career at some point – if they don’t end up in jail.

Depending on their ethical and legal attitudes, usually what they want is to quickly accomplish breaking in a network, maybe lookup for confidential data, download them and deface the home pages of hosted sites. Always counting in exceptions, most probably they didn’t use their own exploits, but what was already public.

Now I’m going to quote from another of my posts the following:

“In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them defacing is more like a game. The messages shown in their defacements are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.”

You will be ignored if you request mentioned tools or help to deface a website. Comments are welcome of course.

Using google-dorks, the attackers can search for frame scripts allowing the inclusion of any url. This search reveals thousands of results with too many websites vulnerable to cross-site framing:

allinurl:”url=http” “frame”

inurl:frame filetype:asp  inurl:”url=”
inurl:frame filetype:aspx inurl:”url=”
inurl:frame filetype:php  inurl:”url=”
inurl:frame filetype:cfm  inurl:”url=”

inurl:iframe filetype:asp  inurl:”url=”
inurl:iframe filetype:aspx inurl:”url=”
inurl:iframe filetype:php  inurl:”url=”
inurl:iframe filetype:cfm  inurl:”url=”

allinurl:http frame.asp
allinurl:http frame.aspx
allinurl:http frame.php
allinurl:http frame.cfm

allinurl:frame.php?url=http
allinurl:frame.asp?url=http

Phishing and other scams are now easier to perform due to cross-site framing.
Having found such frame scripts, allows the attackers to include a webpage which is hosted somewhere else. This webpage can be designed to look like the original website and can be any cross-platform server-side script. It can contain a fake login form which on submit parses the inputted usernames and passwords and sends them to the attacker’s mailbox in cleartext format.

It is also possible to perform XSS attacks as in most cases there is no filtering of special characters, script or other common tags in the URL parameter.

Daniel Hugh mailed us about a cross-site framing and scripting vulnerability affecting Gov.MT (Official website of the Government of Malta):

Gov.MT with Frame Redirect and XSS

The XSS vulnerabilities affecting websites can also be used to perform frame redirects, but not the contrary. So if you submit a website vulnerable to cross-site framing along with a XSS attack vector, we will publish it as XSS.

The above news were written in order to heighten the awareness of potential privacy threats to users of the web.

You can also access this blog post  from XSSed.com – a project I run with Kevin Fernandez.

Here is the link:

http://www.xssed.com/news/26/Cross-site_framed/

Furthermore, here are the steps which the attacker would follow:

1. Information gathering for the external network
2. Seeking for vulnerabilities & misconfigurations
3. Using flaws to get a shell
4. Information gathering for the internal network
5. Escalating privileges for the internal network
6. Converting internal network to external

Download SuRGeoN’s paper from here: [ srgn-pentest-01.pdf ]

This information is provided to you ONLY for educational purposes. The way that the information in this paper will be used, depends on the individual’s legal and ethical attitudes. YOUR choice!… YOUR risk!…

Comments on the paper are of course welcome. You can also contact SuRGeoN via e-mail: surgeony/\gmail.com (replace /\ with @).

This resource is called when the navigation to a page has been canceled, it displays an error message with a link to reload the current page, however the link is not filtered before being used (successful exploitation requires the user to click on the link). The researcher also explains how the browser does not show in the URL the local resource when it is called, this design flaw can thus be combined with the XSS vulnerability to conduct very dangerous phishing attacks.

A PoC is available on the Aviv Raff’s website:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html
For those who do not have Internet Explorer 7, a video is also provided:
http://raffon.net/videos/ie7navcancl.wmv

Original News #1: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx by Aviv Raff

Original News #2: http://www.xssed.com/news/23/IE7_users_beware_of_Navigation_Canceled_errors/ by Kevin Fernandez

XSSed.com is also an attempt to spread education and awareness about XSS to IT professionals and amateurs involved or interested in secure web application development.

The project is run by Kevin Fernandez and Dimitris Pagkalos.
There are still a lot of improvements in the TODO list including the ones listed below:
-RSS feeds.
-Search filters.
-More statistics.
-Submit POST data in the submission page.
-Add public and protected informations with the submitted XSS (more details will soon be available).
-Additional informations will be published on the mirror page (for instance the use of a specific browser to reproduce the vulnerability).

Submitting XSS vulnerable websites, should not be seen as a game for getting the lead in total submissions. Nevertheless we encourage you to submit XSS vulnerable websites for the greater good of a secure web. As RSnake commented on his blog post about XSSed.com, “It’s not who finds the most, it’s about the ease of finding them, the difficulty in stopping them, the various vectors, etc…”. We seriously take in consideration such comments and suggestions for improvements by people with significant experience and expertise in the web application security field.

We call for papers and video tutorials that focus on exploiting XSS vulnerabilities and on preventing them.

Since the launch of XSSed.com, we received many notifications of high-profiled websites that got XSS’ed.

Here is a list of notable XSS’ed websites in the archive:

hushmail.com
youtube.com
members.microsoft.com
netscape.com
*.search.yahoo.com
my.screenname.aol.com
my.imageshack.us
register.go.com
cafepress.com
thawte.com
verisign.com
zonelabs.com
www4.symantec.com
domaintools.com
controlpanel.netfirms.com
2600.com
sun.com
*.globo.com – Famous portal in Brazil
*.mynet.com – Famous portal in Turkey
login.pathfinder.gr – Famous portal in Greece

plus many other “special” websites, including governmental and military…

So far we have had visitors and submitters from – in order of number of visits – Turkey, Italy, United Kingdom, United States, Brazil, France, Russia, Germany, Czech Republic and Pakistan. We would like to thank you for supporting our project.

The XSS attack vectors used on the archived websites, were from RSnake’s XSS cheat sheet.