Spamming Ecommerce with CSRF
The idea isn't entirely new- CSRF has been used in the past to abuse ranking systems and push pageviews through the roof. These attacks have a lot of applications in spamming, black hat SEO, and manipulating site statistics.
I came up with an interesting variant on this recently. Instead of trying to get as many hits as possible to a page (in an ecommerce app, for example), we can force users to view a product of our choosing (one we sell, of course). This, in turn, will make that product pop up in his "recently viewed items" page, or, in many cases, the front page of the site. It's easy to see how this attack could be directly monetized- putting your product on the front page of, say Amazon.com, will go a long way towards increasing its visibility and ultimately, its sales.
This attack can even be targeted towards specific audiences very easily by sticking these history-poisoning links in domain-specific websites- weight loss products on weight loss forums, tech products on tech sites, etc.
The important distinction is that instead of attacking the server directly, we're abusing the user's session. Taking it a step further, some sites allow the attacker to actually stick products in the user's shopping cart via CSRF. If you don't notice that they're there, you may end up buying things you didn't intend. If you do notice them, you still will likely click through and view the product- effective advertising, no doubt.
As a proof of concept, this page will poison your browser's Amazon.com recommendations, eBay product views, your Walmart.com shopping cart, and your Overstock.com cart.
Could spammers use CSRF to push their products to the front page of your favorite ecommerce portals? You bet. Would that be valuable? Given the massive amount of money people throw at the SEO and advertising industries, I have to assume so.
I came up with an interesting variant on this recently. Instead of trying to get as many hits as possible to a page (in an ecommerce app, for example), we can force users to view a product of our choosing (one we sell, of course). This, in turn, will make that product pop up in his "recently viewed items" page, or, in many cases, the front page of the site. It's easy to see how this attack could be directly monetized- putting your product on the front page of, say Amazon.com, will go a long way towards increasing its visibility and ultimately, its sales.
This attack can even be targeted towards specific audiences very easily by sticking these history-poisoning links in domain-specific websites- weight loss products on weight loss forums, tech products on tech sites, etc.
The important distinction is that instead of attacking the server directly, we're abusing the user's session. Taking it a step further, some sites allow the attacker to actually stick products in the user's shopping cart via CSRF. If you don't notice that they're there, you may end up buying things you didn't intend. If you do notice them, you still will likely click through and view the product- effective advertising, no doubt.
As a proof of concept, this page will poison your browser's Amazon.com recommendations, eBay product views, your Walmart.com shopping cart, and your Overstock.com cart.
Could spammers use CSRF to push their products to the front page of your favorite ecommerce portals? You bet. Would that be valuable? Given the massive amount of money people throw at the SEO and advertising industries, I have to assume so.
posted by mckt at
11:56 AM
|
4 Comments
