This is English version of my Dark home article.
After the article Dark side of bookmarks, I’ll draw you attention to another aspect of security which concerned with web browsers.
There is such useful functionality in browsers as Home Page (homepage). To which browser is going at his start (if it’s set accordingly). At first sight this functionality doesn’t betoken any problems with security for users of the browsers, but it’s not so. There are several attacks, which can be conducted via homepage function. I planned to tell about it already in 2008 and I’d tell you about it in my article “Dark home”.
Note, that if in my practice I saw attacks via bookmarks few times, then attacks via homepage function I saw many times. Particularly there are programs, which at their installation on computer (including secretly) are changing homepage setting in IE.
Attacks via homepage function.
There are possible next attacks via homepage function:
3. Malware spreading.
4. DoS attacks.
This browsers’ functionality creates conditions for conducting of persistent attacks, because adjusted homepage are saving in settings of the browsers at computers of the users. So every of above-mentioned attacks is persistent attack, which can trigger at the next start of the browser, or when user will press Home button in his browser. So probability of triggering of this attack is much higher, then at attack via bookmarks.
Methods of conducting of attacks.
The next methods can be used for setting of malicious homepages:
1. Social engineering: inscriptions “Set your homepage” at the sites under control of offenders (where code for redirection or other code is placed, which will trigger on next visit of the site).
2. Hacking of the sites and changing of codes in links “Set your homepage” to codes with malicious link, or putting of such links at the sites under control of offenders.
3. Using of viruses for changing of existent settings of homepage to malicious link in victim’s browser.
4. Using of attacks with active (looped) proposition to set as homepage (in Internet Explorer), so as to let victim to accidentally set this site as homepage (or to force her to do it).
Attacks in different browsers.
Among above-mentioned methods of attacks all four work in Internet Explorer, and in other browsers only attacks 1 and 3. So at attack on users of all browsers, and especially alternative ones, methods of social engineering, or viruses can be used. At using of viruses, during of changing of homepage settings in browser, it’s needed also to check if browser is set in such way, to start with a blank page, and if it’s set in this way, then to change this option, to let browser starts with homepage.
At attack on users of Internet Explorer, attacks 2 and 4 can be used. For this it’s needed to use the code of setting as Homepage (which works only in IE).
<a href="#" onClick="this.style.behavior='url(#default#homepage)';this.setHomePage('http://badsite')">Set your homepage!</a>
Advertising site can be set as homepage. So homepage function can be used for spam spreading. And besides of site advertising in such way, it also can be used for turning of statistic of this site (in different ratings).
Just as in case of spam, homepage function can be used for phishing. But in this case, besides conducting of attack via methods 1, 2 and 4, the most effective will be method 3. So as to let virus to find (in history, in bookmarks or in homepage settings), which bank the victim is using, and to set phishing site of this bank as homepage. So as to let victim to run browser and right away proceed to phishing site, which pose itself as a site of her bank.
Attack will be conducting via setting link on exploit for browser as homepage. Which will execute malicious code in browser of the user, after start of the browser, and will install virus at his computer.
Attack will be conducting via setting link on DoS exploit as homepage. After starting of the browser by the user, his browser will crash or freeze. At that it will be persistent attack, which will be repeated at every start of the browser, so user will can’t use it at all, until he change this option.
Mechanism of setting as homepage also can be used by itself for conducting of DoS attack on browsers. This attack I called DoS via homepage. Internet Explorer 6, Internet Explorer 7 and previous versions (and possible next versions too) are vulnerable to it.
Attacks via homepage function are completely real and dangerous. So users of the browsers must be careful in Internet and don’t set any site as homepage. And it’s advisable to set own browser is such way, so at start not homepage opens, but a blank page.