Last night, a friend pointed out an auction on Ebay Motors that would automatically redirect you to a phishing site. It turns out, the auction had a flash movie embedded that performed the redirect. Here’s the relevant bit of the auction’s code:
I haven’t bothered obfuscating the IP address, so don’t go poking around unless you feel like you know what you’re doing . As a matter of fact, for the sake of folks using GooSweep to investigate incidents involving this guy, here’s something for the googlebots to pick up: The IP address 22.214.171.124 is hosting a handful of Ebay Motors phishing sites and flash redirects to those sites..
The host is in Romania, and has been around at least long enough to get its phishing sites indexed by Google. Since there seems to be such a small chance of getting caught and punished for this sort of thing over there, many Romanian attackers are pretty open and carefree about their operations. I wouldn’t be surprised to find out that this box is some old PIII under the phisher’s desk.
Moving on, the flash file itself is pretty interesting. It’s only 172 bytes, and as you can see from the screenshot above, it’s being hosted in a few different places. It may be an attempt to make sure it fails over if the hosting goes down, but I suspect it may be an attempt to throw careless investigators off track. Only the center, highlighted link to 126.96.36.199 ever worked since the time this was spotted. I grabbed the swf, and since it’s so small, my first instinct was to just take a look at it directly:
I don’t know a lot about flash and I didn’t have any flash specific tools on my system, but this is pretty straightforward . To make it a bit clearer, I installed flasm (a Flash assembler and dissassembler) out of the Ubuntu repositories and ran it to get the following output:
Again, I don’t know much about Flash, but it’s obviously not rocket science. The attacker defines a function that getURL’s the target, and sets up a call to it in the first frame of the “movie”. It’s pretty trivial to modify this to redirect anywhere, just change the url and use flasm to recompile. I tried this out, so here’s an swf file that’ll redirect you to my blog :
This is a bad situation for sites like Ebay, with users that demand the ability to have Flash content (such as image galleries, animations, etc.). It’s easy for them to patch up ways to redirect and XSS in the auction’s code itself, but it’s much more difficult to regulate what goes on in Flash objects brought in from other servers. It’s also difficult for Adobe to fix this up in Flash, since I would think that many legitimate sites use the getURL functionality to hop around. I imagine a solution would require sites to have policies on what functionality is allowed and/or disallowed, that the Flash player would have to parse and honor those policies.