Can You Trust That Web Site?

Trust is hard to come by. When you get a phone call and the caller asks for personal information, it would be better for you to call them back at a telephone number you independently obtain. For example, they say they’re from your bank; call your bank and ask for them.

What can you do with web sites? The role of certificates is to allow you to trust that which is certified; a web site, for example. In the absence of a certificate or if you are convinced a certificate is insufficient, what else can you do?

Picture this: A link on a job board which offers a job with the DEA takes you to www.avuedigitalservices.com/ dea/ applicant.html (spaces inserted to prevent accidental reference). That seems odd. It isn’t in the GOV top-level domain (TLD). It appears to be a job application, asking for personal details, appearing to be associated with government agencies. Is this a phishing attack, collecting information, ready to steal your identity, clean out your bank account?

There’s no certificate to verify.

The WHOIS command is a quick way to see if you might want to trust a web site. If they register anonymously, if they don’t want to tell you who they are, then don’t trust them. If their web page has no contact information, then don’t trust them. Don’t trust posted contact information to be accurate, but an absence of contact information is a good reason not to trust them.

WHOIS avuedigitalservices.com indicates that the name has existed for ten years. That’s the first good sign we’ve had. Then we learn that the domain’s owner owns 238 other domains. This is looking awfully suspicious.

Change the way you look at the question. Find the DEA’s web site. Find their Careers page. Search for the job. Finding a job of the same description as the one advertised should tell you nothing, since a phishing attack will typically lift text and images from a legitimate web site. You learn that the Justice Department posted jobs through USAJOBS.GOV. You should be convinced you’ve found a scam … except that USAJOBS.GOV sends you to avuedigitalservices.com.

This won’t be simple will it?

Rule of thumb: If they market through fear, uncertainty and doubt (FUD), don’t trust them. Social engineering is at work. They may be correct, but shared mistrust should not be confused with trust.

What do you want to know?

• Are they hosting malware?
• Are they collecting money but providing no product or service?
• Are they collecting personal information?
• Are they who they say they are?

You may be able to determine if they have been hosting malware. This is a useful first step. If you suspect that the web site is a scam, use other approaches (such as ScamBusters).

Try one of these sites to learn the reputation of the destination domain. Substitute the domain you are interested in learning about for “example.com”.

• http://www.alexa.com/siteinfo/example.com
• http://www.robtex.com/dns/example.com#result

A simple, free resource is hpHosts. It aggregates many information sources to discover if any of them know that the web site cannot be trusted.

1. Google Diagnostic (malware hosting only)
2. Perform vURL lookup
3. Malware Domain List Report
4. MalwareURL Report
5. RobTex Report
6. (McAfee) SiteAdvisor Report
7. (McAfee) Trusted Source Report
8. Web of Trust Report

The following message from hpHOSTS should not influence your decision to trust the website or ISP. Consult the IP reverse DNS feature of robtex.com or the Domain Dossier feature of CentralOps.net as a convenient mechanism to review DNS records.

WARNING: The IP PTR associated with this record, does not resolve. This is considered very bad practice and contravines (sic) the RFC Standards. Most legit ISP’s will have their PTR’s resolve to an IP.

Not included within hpHosts references:

	Site inspected: www.everestengineering.co.in
Google SafeBrowsing	Of the 6 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-03 (today), and the last time suspicious content was found on this site was on 2010-03-03 (today). Malicious software includes 5 exploit(s), 1 trojan(s). This site has hosted malicious software over the past 90 days. It infected 7 domain(s), including depiranhas.nl/, breakingthematrixmind.com/, bigmountain.cc/.
Clean-MX	Nothing reported Two weeks later, nothing reported.
Trend Micro’s SecureCloud	untested (check again soon) Later: Disease_Vector, known to be malicious.
AVG Online Web Page Scanner	OK
Finjan URL Scanner	“legitimate” and offers to review it. Submit name and email.
F-Secure	This site is unknown. We will provide a recommendation of this web site soon. Two weeks later: still unknown
KNOWNSEC	Unknown. Check again later. Two weeks later: still unknown
Norton Safe Web	Untested. Two weeks later: still untested.
ParetoLogic URL Clearing House	Unreported. Would you like to report it?
PhishTank	Unreported. Would you like to report it?
Malware Domain List	Unreported. Would you like to report it?
McAfee Site Advisor	Unknown. Check again later. Later: Unknown
McAfee TrustedSource	Reputation is unverified. Two weeks later reputation remains unverified.
Trend Micro Web Reputation	This URL is currently listed as malicious.
Unmask Parasites	Link to matrixsoftech.com/blog/missing.php is suspicious. Google lists www.everestengineering.co.in as suspicious.
URL Blacklist	Not found on any blacklists.
URIBL	Not listed in URIBL.
vURL	Draws attention to the // <![CDATA[ src=http://matrixsoftech.com/blog/missing.php > // ]]> line.
Web of Trust	Unrated. Two weeks later remains unrated.
Wepawet	Waiting to be processed… (analysis finished 3.5 days later) We never found it to be benign. The last time we found it to be suspicious was at 2010-03-03 17:20:18. We never found it to be malicious. Potential malware identified.
jsunpack	Identified suspicious Javascript in matrixsoftech.com/blog/missing.php?s=nGrKsp2&id=

Security is transient. Each of these resources may have reviewed the web site and found it to be trustworthy one day only for it to be changed into an untrustworthy site the next day.

April 9, 2010: WordPress sites hacked. See WordPress support and Sucuri Security. Symptom:  “wp-option” table, “siteurl” setting changed to “http://networkads.net/grep/”.

(2, 0, 'siteurl', 'http://networkads.net/grep/', 'yes'),

Web sites receive a web browser’s user agent string. This enables the web site to present content customized for that user agent. (To learn your user agent string, visit show-ip.net/useragent or WhatsMyUserAgent.) A thorough web site review requires access with a variety of user agent strings. Almost all web testing tools have features which enable you to specify a user agent string.

vURL Online (and vURL Desktop Edition) will “quickly and safely dissect malicious or suspect websites.” Parse the HTML before you connect to a web page. It will run these tests from your choice of servers around the world. If you will be entering personally identifiable information, you may wish to know something to look for. Look for the HTML “form action“. You should see something similar to one of the following:

<form method="POST" action="/order.cgi">
<form method="POST" action="https://www.shop.com/cgi-bin/order.cgi">
You don’t want to see an IP address used; it is unprofessional and suspicious.

Here are some permutations of URLs and form actions:

http://domain.com/form.html <form action="/cgi-bin/login.cgi" method="get">	no encryption, not secure
https://domain.com/form.html <form action="http://domain.com/cgi-bin/login.cgi method="get">	switched from https to http, not secure
http://domain.com/form.html <form action=https://domain.com/cgi-bin/login.cgi method="get">	switched from http to https, secure
https://domain.com/form.html <form action=/cgi-bin/login.cgi method="get">	started and stayed secure

• Malzilla, like vURL Desktop Edition, is a web site analysis and de-obfuscation tool and Malware hunter. This could be your first step, depending upon how familiar you are with HTML. Typically requires Visual C++ 2008 redistributables and OpenSSL; see Malzilla error “The ordinal – LIBEAY32.dll”.
• vURL Desktop Edition can be downloaded and run locally.
• Script Decoder Decode JScript, ASP pages, VBScript obfuscated with Microsoft’s Windows Script Encoder (screnc.exe)

hpHosts may help us find malware at this ISP, perhaps even the new hosts for Russian Business Network (RBN).

DShield Mirror of ISC. ISC uses the DShield distributed intrusion detection system for data collection and analysis. Submit firewall logs here.

Temerc Check Spammers Learn if the email address or IP address or username is on someone’s SPAM list (and why).

Malware Block List Collects links to malware

Malware Patrol Malware Patrol is a free, automated and user contributed system for verifying URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.

Web of Trust (WOT) can refer to a user-community web site rating system. A user-community cannot be expected to share the same understanding about terminology or technology. When a web site receives a red untrustworthy rating, that should be interpreted as “we think there’s something you should know about this web site.”

Additional network information tools are gathered at technicalinfo.net.

Stanford University offers a presentation demonstrating web-based malware.

Dasient Web Anti-Malware (WAM) has an Infection Library with examples of prevalent web-based malware.

“Tabnapping”: From an untrustworthy web site, a malicious party modifies the web page in another tab of your browser. For example, the page is modified to appear as of it were a logon page. In this way, credentials are captured.

“Verified by VISA” and “MasterCard SecureCode” (3D Secure): How online card security fails Why is 3-D Secure a single sign-on system?

The Whitewash module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery. All HTML tags attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed.

Summary: eCommerce and personally identifiable information require additional measures. Watch for the green bar in the URL window. See SSL Vulnerability Debriefing.

Online Trust Alliance (OTA): OTA’s mission is to develop and advocate best practices and public policy which mitigate emerging privacy, identity and security threats while enhancing online trust and confidence, innovation and the vitality of commerce. As a non-profit, membership is open to all businesses, industry, law enforcement and government agencies committed to collaboration and enhancing online trust and confidence.

Cleaning your site information from Google