Shopping Season Threat Averted: AliExpress Patches a Vulnerability That Could Have Allowed Credit Card Phishing

Made public on the week of Black Friday, security researchers disclosed a vulnerability in AliExpress.com, a popular online retail service owned by Alibaba and patronized by over 100 million customers worldwide. The online shopping portal was found to have an open redirect vulnerability that could have allowed attackers to display a fake coupon designed to phish sensitive information from shoppers who viewed it. AliExpress took action and fixed it within two days of notification.

Targeting AliExpress users by sending them a link to an AliExpress web page containing malicious Javascript code, the code is executed in the user’s web browser. Using an open redirect vulnerability bypasses AliExpress’ protection against cross-site scripting attacks. A fake pop-up coupon offer would be displayed on the home screen asking customers to provide credit card details. The attackers control this fake pop-up window and any credit card details provided will be sent directly to the attackers rather than the online shopping site.

The security researchers who devised an exploit technique for the vulnerability noted that AliExpress uses only a simple method to stop such attacks. This method involves checking the referer header of the request. If the referer was not set or was incorrect, the request would be denied by the server. A referer is an HTTP header that identifies the URL of the webpage where the request was requested from.

To bypass AliExrpress’ method, the researchers sent a malicious link from an approved and trusted AliExpress URL. For that to be successful, the researchers looked for links in AliExpress that redirects to a second link in AliExpress that the malicious link can replace. The link chosen by the researchers was shortened so it wouldn't look suspicious. Customers who click on the link would be sent to an AliExpress login screen, which would subsequently inject the JavaScript to the page and issue the fake coupon.

Defending Against Phishing Attacks

As the shopping season rolls around, attackers are expected to roll out their phishing tactics to take advantage of the holiday rush.If you suspect that you have fallen victim to a phishing scam, immediately change passwords and PINs on all of your accounts.

Here are other tips on how to spot and avoid phishing scams:

  • Bookmark shopping sites. Avoid using search engines to find good deals. Limiting your search to trusted, secured shopping sites can reduce the chances of you landing on a spoofed site.
  • Always check the hyperlinks. To verify the legitimacy of the URL, move your cursor over the embedded link before even clicking it.
  • Spoofed emails usually contain a generic greeting. The user’s email address can also be used rather than directly addressing the recipient with his/her name, and that's a red flag.
  • Watch out for poor grammar or dodgy spelling. Legitimate emails do not contain glaring errors.
  • Recognize sloppily-designed emails. Wrong or out-of-place logos and layouts are signs that a message isn’t from a trusted source.
  • Beware of websites that ask for your password. Never give away passwords or sensitive information to untrusted or third party sites.
  • Stay clear of emails or sites that demand urgent action. Some messages will include desperate calls to action such as clicking certain links or disclosing personal information.
  • Be wary of too-good-to-be-true offers. There's a saying that goes, “if something seems too good to be true, it probably is,” and it applies to online shopping. Be wary of items offered at very low prices.
  • Routinely check your card statements. Be on the lookout for unauthorized transactions.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.