Firefox Referer Manipulation, Porn, and Quick Quit

This is a quick review of some (well, two) Referer: header manipulators that I've been able to find for Firefox. This came up while testing out a possible XSS vulnerability where the script was passing along document.referer unsanitized.

Send Referer: Compact and great for "privacy," but doesn't allow for editing the referer field directly. I was hoping for something more along the lines of User Agent Switcher.

RefControl: Much more complete. RefControl allows for a number of custom referer headers, depending on the site. In other words, sites that don't work without a valid Referer will still work (once you notice the problem). The only (minor) issue I saw is that it appears that the "Normal" functionality is broken -- it appears "Normal" and "Block" do the same thing and supress the header entirely. But, unlike Send Referer, RefControl includes an on/off button on the control bar.

If you know of a better XPI for Firefox to do this, let me know -- I was surprised to see that the otherwise very complete Web Developer Extension doesn't include support for this.

Oh, and a complete non sequitur: I find the Pornzilla project both hilarious and a perfect example of my personal maxim, "All IT professionals are really working for the porn industry."

Another: I need a button that lets me close all my Firefox windows and tabs all at once. Currently, on Windows, I use Ctrl-Alt-Del, Alt-T, F, I, R, E, Alt-E, Enter. Compare this to starting Firefox (with Colibri): Ctrl-Space, F, Enter. Clearly, quitting is way too many keystrokes, especially since it happens at least once a day, and every time I install a new extension.

Mildly related: Mere page refreshes instead of reboots is one of the huge reasons why I prefer Greasemonkey user scripts to extensions these days.

Mystery Firefox Download Sites

I use Gmail pretty much exclusively, and whenever I get e-mail having to do with Firefox or Mozilla, I usually see AdSense ads pointing to a host of strange "Get Firefox!" sites.

I've started clicking on them to see what's up, and I'm finding that, more often than not, they do nothing. Here's an example: http://downloadfirefox.ws/. Here's another.

So, what's the story here? These AdSense ads aren't free, so the operators must be doing something with them. I haven't spent really any time analyzing the landing sites, but I do notice that the links to download generally don't work, thus, I'm ruling out that they are actually interested in getting me to download FF.

Are these malware distribution sites? Spyware? Banner farms? Neither of the example sites are doing anything obvious like that (unless they're being unusually secretive and returning me different content based on my user-agent settings).

If you know, or have a theory, please comment below.

Mortgage Scams Investigated

I've started to school myself on the ins-and-outs of mortgage and refinance scams. I got interested about a year back when I spoke at a state banker's assocation symposium on phishing, and the impression that I got then is that phishing is small potatoes compared to refi scams.

Probably the most authorative site on the subject is BankRate.com, an aggregation portal for pretty much all things having to do with lending. This article from last year covers the basics of the in-person, billboard-driven scam market.

More dramatic, though, is the online angle. Enter the Refi Retaliator, and the principle players, Darren Brothers, aka SpamSlayer, as the hero, and Alex Polyakov, as the villian. Google the names around, and you'll see that the Polyakov Refi scam is reputed to be the largest and most successful in the business.

Any definitive papers on the subject would be appreciated. I may end up writing my own, since there appears to be a scarcity of public knowledge outside the financial industry. The parallels to phishing are obvious, but the money and property involved is typically enormous, and the international angle of the players seems relatively new.

Tracking Phishing Sites

While I usually rely on and recommend Castle Cops for tracking live phishing campaigns, I've lately been looking at the Internet Defence Phishery. It does pretty much the same thing, but has a more European slant. I don't really think one source is any better than the other (though CastleCops's archival functions are much more useful to me for terminated phishing sites), so I expect I'll be checking both pretty regularly for new and interesting tricks phishers use on their landing sites.

Identity Angel Report

Heard a story on NPR today about the CMU project Identity Angel. Here's how it works: CMU trolls the Intarwebs for personally-identifiable information, like name/address/SS#/e-mail address, then take the said e-mail address and let the poor fellow know that his name/address/SS# is out there on the Intarweb.

I'm sure their heart is in the right place and this isn't just a Homeland Security funding boondoggle, but there are at least three problems I thought of while risking my life by listening to NPR on a motorcycle:

a) Ignored Alert: If the anti-phishing / counter-fraud people have been doing anything over the past two years, it's been instructing people to never ever ever respond in any way to any e-mail regarding your personal information. This is the best case scenario.

b) False Positives: CMU e-mails Alice, "Dear Bob, here's where we found all your information." Now Alice has a Bob ID Kit. Whoops!

c) Identity Angel scams: The domain identityangel.com is registered by some guy in New Jersey (CMU is in Pittsburgh, PA), and identity-angel.com is, as of this moment, mine. So, thanks to today's PR push, mail from these domains that make inquiries about your identity is going to carry with it the usual trust levels that the rest of phishing e-mail enjoys for those people who didn't pay attention when we were pushing (a). "This is a secure e-mail from the Identity Angel project. Click here to remove your personal information from the Internets." Etc.

And so begins my lucrative spamming (or at least domain squatting) career.

Monkeyspaw released

Blackhat's over, and I'm back home, just in time to publish Monkeyspaw to the world. Yay!