[WASC-WHID] WHID 2011-89: China Implicated In Hacking Of SMB Online Bank Accounts

WASC Web Hacking Incidents Database wasc-whid at lists.webappsec.org
Wed Apr 27 09:17:08 EDT 2011

Just wanted to send a quick note to the list to highlight some challenges we
face with regards to proper classification (Attack Method, Application
Weakness and Outcome) of incidents.  The DabbleDB we are using for tracking
WHID entries doesn't seem to be able to allow for multiple selections of
categories.  Well, technically it can, but the reporting on this data is
poor.  This is challenging due to the fact that many incidents have
components that fit into multiple areas.  For example, with regards to
Banking Trojans and the underlying Application Weakness, we have two
distinct attack scenarios -
1. When a banking trojan steals a victim's login credentials and then the
criminal uses that data to log into the application themselves to transfer
funds.  In this scenario ­ I label the App Weakness as Insufficient
Authentication as usually these sites are not using Two-Factor auth which
allows a criminal to login with only username/password data stolen by the
Banking Trojan.
2. When a banking trojan passively waits for a victim to login and then
submits a transfer request while piggy-backing on the existing transaction,
however, then this seems that the App Weakness is more Insufficient Process
Validation as the transfer request usually does not follow the proper
process flow and should be identified by the banking app as suspicious.
Anyways, I just wanted to point out this issue to you all.  I will continue
to work on the DabbleDB schema to see if we can get multiple categories to
be able to be assigned.


From:  WASC Web Hacking Incidents Database <wasc-whid at lists.webappsec.org>
Reply-To:  <wasc-whid at lists.webappsec.org>
Date:  Wed, 27 Apr 2011 09:04:49 -0400
To:  <wasc-whid at lists.webappsec.org>
Subject:  [WASC-WHID] WHID 2011-89: China Implicated In Hacking Of SMB
Online Bank Accounts

> Entry Title: WHID 2011-89: China Implicated In Hacking Of SMB Online Bank
> Accounts
> WHID ID: 2011-89
> Date Occurred: April 26, 2011
> Attack Method: Banking Trojan
> Application Weakness: Insufficient Authentication
> Outcome: Monetary Loss
> Attacked Entity Field: Finance
> Attacked Entity Geography:
> Incident Description: This time it wasn't an "advanced persistent threat" that
> China was associated with: a fraud alert issued by the FBI today implicates
> China in a cybercrime operation that bilked U.S.-based small- to midsize
> businesses of $11 million over the past year.
> Mass Attack: Yes
> Number of Sites Affected: 20
> Reference: 
> http://www.informationweek.com/news/security/vulnerabilities/229402300
> Attack Source Geography: China
> Additional Link: http://www.ic3.gov/media/2011/ChinaWireTransferFraudAlert.pdf
> _______________________________________________ The Web Hacking Incidents
> Database Project http://projects.webappsec.org/Web-Hacking-Incident-Database
> wasc-whid mailing list wasc-whid at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-whid_lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-whid_lists.webappsec.org/attachments/20110427/f1958f44/attachment-0003.html>

More information about the wasc-whid mailing list