This is a short post to streamline opening accounts on sina.com, which is a free Chinese webmail account provider. Why would you want an account on Sina? Well, I use it for counter-spam/phishing/counter-phishing operations, or simply as a recurring disposable email account when services like 10 minute mail or Mailinator are blocked, or should I need something less public. Obviously, no sensitive information should be used with any email account used on this service.
Opening an Account
Browse to Sina.com to access the main login page, where you can also register. On the login page, you are greeted with a typical login page. To register account, click on the second button, i.e. ‘注册’, as shown in figure 1.
The registration page should appear. Little information is needed to register an account and no mobile phone number verification is required. Actually, all you need is a password and a username! If you ever need more details, you can generate a complete persona using the FakeIdentityGenerator. For this account, I generated a persona called ‘Mulan Fu’ by selecting Chinese names. Let’s see if Disney sues for using the name ‘Mulan’. Just fill the form with your email prefix, a password, the captcha and click on the blue button.
You may be brought directly to your new inbox. Otherwise, just login and make sure the ‘SSL’ option is selected. Enter your email address and password an click on the blue button (figure 3).
You can finally reach your inbox, which is organized like any other webmail services (figure 4). The ‘New Email’ button is the one on the top left corner, which reads ‘写信’. To access your inbox, simply click on the first item in the folder list on the left (‘收件夹’). Finally, to consult sent email, use the forth item from the top in the folder list (‘已发送’).
Composing a New Email
To write a new email, click the button detailed in the previous paragraph (see figure 4). If you compose a new email for the first time, you will be prompt to create a new signature (figure 5). Enter any information you want and save the information. You should be familiar with the composing interface (figure 6). You can use attachment up to 50M.
Click on the first button above the email, the one with the paper plane (‘发送’), to send the email.
Obviously, there are many other features that can be used. Many of them, if not most, are similar to any other webmail services on the Internet. One of the advantage of using this particular service is that, unlike Google or Outlook, it asks for very little information and doesn’t require mobile phone verification. Also, unlike some temporary email services, it’s ‘private’, at least, less public and permanent. Finally, since Sina.com is still a legit service, but not well known in the Western world, it can be used for most online services without too much suspicion. This make it ideal for social engineering operations. There are other similar services around the world, with various level of intrusiveness when it comes to registration.
A variant of the DNSChanger worm is reported to use DNS poisoning to infect new machines on a network, according to a well explained article from the The Register. The attack used is quite interesting, but far from being new mind you.
The first strains of the DNSChanger worm infected Windows and Mac machines. It modified and would modify the internal settings of the OS by changing the Primary and Secondary DNS address property in the “Internet Protocol” settings of the network card. It also used to change the HOSTS file to map specific domains to malicious IP address.This time, the variants try to bypass the DNS addresses used by ADSL modems used by home networks. Here are the mechanics of the attack:
First, one needs to set up a fake website by ripping a legitimate one and doing a mirror copy of it. Legitimate sites usually copied are banks, MMORPGs, online retailers or social network websites. Multiple tools are available on the net to download entire websites page to page. Once an attacker has a copy of the website, it needs to upload it to an illegimate web server. It can either be use a free one offered by various providers or by criminal hosting companies. It can also easily set up one using open source software such as Apache.
Up to this point, the attacker has a web server hosting a copy of a legitimate website, but it has two major flaws. If someone was to navigate to this website, it would see that:
1) The address bar would show either some IP address or a fake name server. For example, by clicking a link to go on the Royal Bank of Canada, the address bar of the browser could display something like: http://18.104.22.168 or http://rbcbank.dyndns.org instead of http://www.rbc.com.
2) The communications would be unencrypted (the address bar would still be white, while it should be yellow)
An attacker won’t encrypt the communications, since the main goal is to steal the username and password. If it’s encrypted, it’s going to take a lot more time and effort and might never be able to guess the credentials. However, it might solve the first problem mentioned by “poisoning” a DNS server. Usually, DNS servers contain tables that link domain names to IP addresses. For example:
An attacker can set up a DNS server, or hack into one by exploiting some vulnerability and change those tables so that a name can link to another IP address, most of the time, to the fake website created by the attacker:
With this type of attack, the victim doesn’t have to click on a fake link or be persuade to type a fake address, it just have to type the legitimate domain and the malicious site will be returned. Here is a schema of the usual way to surf on the net:
As you may have guess, this is a typical phishing attack. This is basically how the DNSChanger worm works.
Once it gets install on a machine, the worm will install NDISProt, a driver for reading and sending raw Ethernet frames. It will do so by create the legitimate %System%\drivers\ndisprot.sys file and the following Registry entries:
With this, the worm will fake a DHCP server on ports 67 and 68 and listen for DHCP DISCOVERY request send by a computer that needs an IP address in order to connect to the network. Once it catches one, it will reply with a fake DHCP OFFER, containing the poisoned DNS servers’ addresses.
This is a tricky part for the worm, because it has to reply quicker to the request than the real DHCP server. Otherwise, the victim will receive the legitimate addresses and the worm will have to wait for the IP address lease to expire before the client asks for another request. So I guess it would be intelligent for the worm to set a very long lease period so that the client won’t make too many requests…
If the client receives the crafted DHCP OFFER, then all the DNS requests will be sent through the poisoned DNS servers. In the example above, those servers are 22.214.171.124 and 126.96.36.199 . Those will then intercept request to banks and other sites the authors of DNSChanger set in these DNS servers and return the fake site, where passwords entered by the victim will be stolen.
Update: Apparently, the users whom domain were hijacked were hit by phishing attacks instead if using the vulnerability described below. Google deny this vulnerability, and are saying this bug was fixed last year. I was, however, still able to create the filter by forming the URL described when I didn’t sign off correctly. (by clicking the Sign Off link). More testing is needed…
Various reports are describing a new (but somewhat old) exploit used to hijack GoDaddy domains. However, this exploit can be used to retrieve any password from services providers with which the user is registered with his Gmail account.
The basic idea is to create a filter on the victim’s account to redirect e-mails from various services providers to another e-mail account. Then, a malicious individual would use the providers’ “I forgot my password” option to send the password to the victim’s email. Of course that email will be filtered and redirected to the provided email account without the user’s knowledge.
Step 1: Creating the filter
Note: The following are theories about how to retrieve information from the victims’ are only in theory. I have not tested any of the following methods. If you have more information, please share it with the community by leaving a comment.
For that we will need to craft the HTTP address that Google Mail uses to create the filter. This is the core of this exploit: creating the filter without the user’s username and password. However, we still need to retrieve some information from the victim. We will need the Unique Account Identifier (UAID) and the Session Authorization Key.
a) Getting the Unique Account Identifier
Getting the UAID is not easy…unless your victim has a website with Google’s AdSense. If that is the case, navigate to their website and look for the source of the page. Locate the AdSense HTML and look for the ‘google_ad_client‘ line:
The large number you see after the “pub-” is the user’s Unique Account Identifier. But it is in plain form. If you try to use this number in the crafted address, it won’t work. More information is needed to form the “header” format needed.
Now, most users don’t have a website even less AdSense. Another way would be to exploit a small library call libgmailer, which stores the identifier in a cookie in order to resume a session:
In that case, it comes to stealing the information from the cookie stored by libgmailer. This is a generic technique and is explained in the second section of this article.
Other ways to get the identifier is to look at libraries/software that interfaces with Gmail. If I had more time, I would gladly look into their source code as this would probably inform us a lot about how they get this key from Gmail. If you have any suggestion, observation or know how to get the Unique Account Identifier, please leave a comment so we can share the information. For those interested in looking, try searching in Google Code or searching with Google Code Search for open source software for Gmail.
b) Getting the Session Authorization Key
This information is contained in the victim’s cookie called GMAIL_AT:
There are many ways to get that information. Of course if you have direct access to the victim’s computer, just fetch a copy of the cookies which are located at:
Internet Explorer: C:\Documents and Settings\<Windows login/user name>\Local Settings\Temporary Internet Files\Cookie.*
Firefox: C:\Documents and Settings\<Windows login/user name>\Application Data\Mozilla\Firefox\Profiles\<profile folder>\Cookies.txt
<span class="attr">echo</span><span class="kwrd">"Could not open 'keys.txt' for writing"</span>;
<span class="attr">echo</span><span class="kwrd">"Specified key is empty or 'keys.txt' in not writable"</span>;
This script will be saved into a PHP file and put online on a free site that supports PHP. Now we have our cookie saver setup at some address, for example: http://www.angelfire.com/someuser/cookie.php
This code will change the IFRAME source to point to our cookie saver and will read the value of the GMAIL_AT cookie stored on the user’s computer. If you now look at the ‘keys.txt’ file on your account, you should have a new Session Authorization Key.
Once you have all the information, the only thing left to do it to craft a HTTP address that we will send directly to Google. This address is the URL Google uses to create the filter.
Where ik is the variable for the Unique Account Identifier you found on step 1a, at, the variable containing the Session Authorization Key you retrieved in step 1b. The cf1_from variable is the email address you wish to intercept and cf2_email is the address you wish the messages sent to the cf1_from address be redirected to. So once the address is crafted, just past it into your browser and the filter will be created. Example:
Once the filters are in place, the easiest part begins. All you need to do is visit the providers from which you want to steal the passwords and use the “I forgot my password” feature available on most of them. The email sent by the support of this provider will then be redirected to the email you have specified on step 1. You can use social networking sites to try to find which services the users are registered to.
Let’s try it with a MySpace account. Now imagine we already had the Unique Account Identifier (a2j3e44rt56) and the Session Authorization Key (909a71ce538b366d-ffe3455bd0). We want to intercept messages from MySpace (“@message.myspace.com”) and redirected them to our account, so our link will be: