Cloud platform provider Akamai has reported the discovery of an ongoing series of attacks targeting the financial sector in which systems are being scanned for vulnerabilities with a popular security reconnaissance tool Skipfish.
“Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments,” according to Google, and is freely available for download.
Akamai’s CSIRT team has identified multiple instances where the powerful scanning tool is being abused by attackers to scout out vulnerabilities on networks at financial services organizations that could be exploited for nefarious purposes.
“Specifically, we have seen an increase in the number of attempts at Remote File Inclusion (RFI). An RFI vulnerability is created when a site accepts a URL from another domain and loads its contents within the site. This can happen when a site owner wants content from one site to be displayed in their own site, but doesn’t validate which URL is allowed to load,” said Akamai’s Patrick Laverty.
“If a malicious URL can be loaded into a site, an attacker can trick a user into believing they are using a valid and trusted site. The site visitor may then inadvertently give sensitive and personal information to the attacker.”
The attackers look for RFI injection points by testing the websites with the string “www.google.com/humans.txt or www.google.com/humans.txt%00,” text files usually available with developer information.
“Companies can see if they’re vulnerable by using Kona Site Defender‘s Security Monitor to sort the stats by ARL and look for the presence of the aforementioned humans.txt file being included in the ARL to the site. Additionally, log entries will show the included string in the URL,” wrote Akamai’s Bill Brenner.
Read More Here…