“Equal Opportunity” Business Logic Exploits

There was a phishing attack against iStockPhoto a few weeks ago.  A phishing attack against a new brand isn’t interesting in and of itself.  What is interesting about this particular attack is that it wasn’t clear why the phishers were specifically targeting iStockPhoto. 

Before we get into the various speculations and the actual reason, let’s talk a bit about what happened.  The phishers used the same type of attack that they use on social network sites.  They posted messages with links to the forums and through iStockPhoto’s internal messaging system.  These messages had links in them that took you to fake iStockPhoto signin pages.  iStockPhoto took the entire website down for several hours while they cleaned up the mess on their forums and in their internal email systems.  Add that to the bad press they are getting, their brand is probably suffering a bit right now. 

This type of attack is perpetrated daily on the social network sites, but the results on iStockPhoto were a bit different.

There were several hypotheses about why the phishers would try to steal iStockPhoto passwords.  Most of the theories I saw thought the phishers were using the credits in the iStockPhoto accounts to buy photos.  Hmmm.  Not sure why they would do that.  To make their phishing emails look better?  Phishing is all about marketing, but I’m not sure the phishers would go to those lengths when they can just copy a very well crafted email from a well known brand. 

I had a different, and equally incorrect, hypothesis.  My hypothesis was that the userID for an iStockPhoto account is an email address.  Once you have someone’s email address and password to one account, there are lots of opportunities for badness.  Since many online services use an email address as the userID and many people use the same password for all of their online accounts, you could do damage on a lot of websites with someone’s email address and password.  And imagine tricking someone to give up their email address and password on iStockPhoto.  It would probably be a lot easier than tricking them into giving up their password to their bank account.  Their suspicion level would likely be fairly low when it comes to an iStockPhoto signin page.  And then you could go try that email address/password combination all over the internet!  But, alas, I was wrong.

I read a post today from one of the victims that said their credit card was charged for more than $1500 following the incident.  Is it possible iStockPhoto showed a user’s credit card details in the clear if you went to that user’s account page?  If they used to do so, they probably don’t show that information anymore. 

If the phishers were going to the page that showed credit card information for users, this is a clear cut example of business logic abuse.  There are lots of reasons to want to show the user which credit card they have on file (though you don’t need to show them the entire number).  iStockPhoto needs that functionality as part of their business model.  And yet, the phishers were able to exploit it for their evil ways.

I see two takeaways from this incident.  First, the phishers are continuing to abuse legitimate business logic to perpetrate their crimes.  Second, the phishers are truly becoming “equal opportunity” bad guys.  No longer are they targeting only the well known brands when they can make their money off of the smaller, less popular brands.  The small and medium sized brands out there better get ready – the internet bad guys are coming after you too!

---

Possibly related posts: (automatically generated)

• Precision hacking – a new term for business logic abuse?
• desktop – Google News

April 13, 2009 - Posted by Laura Mather | Business Logic Flaw, Fraud, Phishing, business logic abuse | business logic abuse, Fraud, Phishing | 2 Comments