Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known...
Transcript of Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known...
![Page 1: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/1.jpg)
1
Bi%ng the Hand that Feeds You (Reloaded)
Billy K Rios HITB 2009 ‐ Dubai
![Page 2: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/2.jpg)
Background
• Defcon 15 – “Bi%ng the Hand that Feeds You”
• Robust Defenses Against CSRF – Jackson, Barth, and Mitchell.
• Many websites were affected with custom aSacks for each domain
• We’ll finish with some examples on TwiSer and Facebook
2
![Page 3: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/3.jpg)
3
![Page 4: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/4.jpg)
4
Bi%ng the Hand that Feeds You
• Original version was presented at Defcon 15 • Web security decisions are based upon Domain Name – Same Origin Policy – Phishing – Crossdomain.xml, Java Applets, Silverlight – Plugins (NoScript)
4
![Page 5: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/5.jpg)
5 5
Bi%ng the Hand that Feeds You
• Abusing well known domain names to serve malicious content
• Demos using Yahoo Mail and Gmail, but others were affected as well
• Malicious Executables, Crossdomain.xml, and Java Applets were demo’d
![Page 6: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/6.jpg)
![Page 7: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/7.jpg)
7
![Page 8: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/8.jpg)
8
![Page 9: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/9.jpg)
9
![Page 10: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/10.jpg)
10
What just happened?
• The aSacker pushed an iframe to the vic%ms browser
• The aSacker used the iframe to POST valid creden%als to the server (CSRF)
• The server verifies the creden%als belong to a valid user and authen%cates the user within the applica%on logic
![Page 11: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/11.jpg)
What just happened?
• The server issues a SET‐COOKIE, giving the vic%m’s browser access to the aSacker account
• The aSacker knows the loca%on for various malicious payload within their own account
• The aSacker pushes a second CSRF which requests a malicious file/aSachment/content
11
![Page 12: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/12.jpg)
12
![Page 13: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/13.jpg)
Serving content from popular domains
• Helps get past phishing filters
• Any domain whitelist/blacklist can be circumvented
• Flash Crossdomain.xml and Java applets made things interes%ng
13
![Page 14: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/14.jpg)
14
Robust Defenses against CSRF
• Adam Barth, Colin Jackson, John Mitchell
• Presented various CSRF scenarios and two aSacks using “Login CSRF”
• The authors presented an aSack against Web History features and Paypal
![Page 15: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/15.jpg)
15
Stanford Examples – Web History
![Page 16: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/16.jpg)
16
Stanford Examples
16
A"acker
Vic+m
User logs into PayPal and aSempts to add a new Credit Card
ASacker registers a PayPal account
![Page 17: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/17.jpg)
17
Stanford Examples
17
![Page 18: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/18.jpg)
18
Stanford Examples
18
A"acker
Vic+m
BEFORE the submit buSon is pressed, the aSacker uses an iframe to POST the aSackers creds to PayPal
The vic%m receives the iframe from the aSacker and the vic%m’s browser automa%cally submits the login to PayPal (with the aSackers creds)
![Page 19: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/19.jpg)
19
Stanford Examples
19
A"acker
Vic+m
PayPal validates the creds, and sends a new session cookie. The Vic%m is now logged in as the aSacker
The Vic%m presses the SUBMIT buSon and submits the new cred card info to PayPal
The aSacker retrieves the new credit card from THEIR account!
![Page 20: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/20.jpg)
20
IMHO
• Disparity between two different security models
• Browser security model is very focused on Same Origin Policy
• Applica%on security model is based on authen%ca%on and sessions
![Page 21: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/21.jpg)
21
IMHO
• When a user/aSacker provides creden%als to the applica%on, the applica%on verifies that the creden%als are valid (authen%ca%on)
• Once the authen%ca%on process is complete, the server then establishes the boundaries for that par%cular user (authoriza%on)
• The server tracks this “contract” by issuing the client a session cookie
![Page 22: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/22.jpg)
22
IMHO
• The contract changes several %mes throughout the course of a browser life (each logout/login) is a change in the contract
• The browser doesn’t care about any contracts established between the user and the applica%on, it mere enforces the protec%on mechanisms for cookies and content
![Page 23: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/23.jpg)
23
Places to Watch for
• Login forms that don’t protect against CSRF
• SSO op%on and Forms based login op%on
• Tokens being passed from one domain to another
![Page 24: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/24.jpg)
24 24
![Page 25: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/25.jpg)
25 25
![Page 26: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/26.jpg)
26 26
![Page 27: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/27.jpg)
27 27
![Page 28: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/28.jpg)
28 28
![Page 29: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/29.jpg)
29 29
![Page 30: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/30.jpg)
30 30
Classic SSO scenario
• Take informa%on from Applica%on A • Authen%cate to Applica%on B • Avoid Passing creden%als • Use a token instead • App B trusts the tokens passed
![Page 31: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/31.jpg)
31 31
ZenDesk SSO
• Name= • Email=
• External_id= • Timestamp=
• Hash= • This hash value is based on the items above and a shared secret
![Page 32: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/32.jpg)
32 32
![Page 33: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/33.jpg)
33 33
![Page 34: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/34.jpg)
34 34
![Page 35: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/35.jpg)
35 35
![Page 36: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/36.jpg)
36 36
Problem
• The SWF file is only available to the ASacker Account (SessionSwap1)
• Self XSS?
• Launch the XSS and wait for the user to log in?
![Page 37: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/37.jpg)
![Page 38: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/38.jpg)
38 38
A"acker
Vic+m
Authen+cate to Twi"er using the A"ackers Creds, ini+ate SSO to Zendesk
Twi"er passes the SSO token back to the A"acker (hash=)
![Page 39: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/39.jpg)
![Page 40: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/40.jpg)
40 40
A"acker
Vic+m
The A"acker passes the SSO link to the Vic+m via Iframe (CSRF)
![Page 41: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/41.jpg)
41
![Page 42: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/42.jpg)
42 42
A"acker
Vic+m
The SSO CSRF is passed by the Vic+ms Browser to Twi"er
Twi"er issues a new Zendesk session cookie to the Vic+ms Browser
![Page 43: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/43.jpg)
43
![Page 44: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/44.jpg)
44
![Page 45: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/45.jpg)
45 45 45
![Page 46: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/46.jpg)
46 46 46
• How CSRF protec%on mechanisms come into play
• Ajax‐y behavior can complicate things
• These are UI/Design issues
![Page 47: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/47.jpg)
47
47
A"acker
Vic+m
User logs into Facebook and aSempts to add a new Credit Card
ASacker registers a Facebook account
![Page 48: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/48.jpg)
48
48
![Page 49: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/49.jpg)
49
Stanford Examples
49
A"acker
Vic+m
BEFORE the submit buSon is pressed, the aSacker uses an iframe to POST the aSackers creds to Facebook
![Page 50: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/50.jpg)
50
Stanford Examples
50
A"acker
Vic+m
The vic%m receives the iframe from the aSacker and the vic%m’s browser automa%cally submits the login to Facebook (with the aSackers creds)
Facebook validates the creds, and sends a new session cookie. The Vic%m is now logged in as the aSacker
![Page 51: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/51.jpg)
51
Stanford Examples
51
A"acker
Vic+m
The Vic%m presses the SUBMIT buSon and submits the new cred card info to Facebook
![Page 52: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/52.jpg)
52
52
![Page 53: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/53.jpg)
53
53
![Page 54: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/54.jpg)
54
54
![Page 55: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/55.jpg)
55
Stanford Examples
55
A"acker
Vic+m
Facebook shows the CSRF error and generates a new token for the vic%m
The Vic%m resubmits the credit card data to Facebook
The ASacker retrieves the Credit Card data from THEIR Facebook account
![Page 56: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/56.jpg)
56 56
CSRF Protec%ons?
• New tokens are generated • Ajax request occurring in the background • How are CSRF valida%on failures handled? • Failures silent?
• Appropriate Error messages?
• It may be easier to defend Forced Login/ Session Swapping
![Page 57: Bing the Hand that Feeds You (Reloaded)...5 Bing the Hand that Feeds You • Abusing well known domain names to serve malicious content • Demos using Yahoo Mail and Gmail, but others](https://reader034.fdocuments.us/reader034/viewer/2022052105/60409dafb1442f381d7f986c/html5/thumbnails/57.jpg)
57 57
Ques%ons?