Facebook or SET ?
The title refers to SET (Social Engineering Toolkit), as proven repeatedly and sometimes acts as a platform facebook spread of phishing.
Again, we observed a modest, permissive design error by Facebook that allow an attacker to generate a vector for the spread of phishing. Again, there are no reports so far on the misuse of this feature.
Previously published an article that is directly related to this attack: Social Engineering via "I like" button, if not read it yet, we invite you to do a quick review to a better understanding of the possible combinations.
As detailed in the previous article, an attacker can make the design decision to increase the reliability and reputation of a note, and then modify it and post links to malicious content in it. In this particular case we add the possibility of generating 2 new additives that make it "striking" the note when you click on a link course harmless.
First, we can insert photos in the note, something known long ago. In our case we were able to insert the image from an external URL using HTML code on the note.
Example:
<img SRC="http://www.mkit.com.ar/imagen.jpg" alt="imagen"></img>
Second, through trial and error, we insert a "a href" with the possibility of moficar name hyperlink.
Example:
<a href="http://www.dominiomalicioso.com/malware.exe">http://www.mkit.com.ar/blog</a>
Again, an attacker can "hide" Thanks to these features, the redirection to a contaminated site or with an elaborate hoax to make the user to fall into their trap.
In routine testing of the operation of "Possible" attack, we see certain behavior:
- If you share the note on the wall and, if added as a hyperlink name the expression "http://", and try to click on the link of note in the wall, you will be redirected to the site says the NAME of the link no matter what the "a href". in the example above, it redirects to "http://www.mkit.com.ar/blog" instead of "http:// www.dominiomalicioso.com/malware.exe ".
- Wall Redirect WITH "Http://"
-
If you share the note on the wall and, if not added as no expression hyperlink name such as "http://", it appears in the publication of the wall as plain text, if you ever get into the preview of the note.
- Wall Redirect WITHOUT "Http://"
- If you try to click on the hyperlink in the note, then in any way going to be directed to the point where our "a href".
- Redirect From Inside the Note
We may also use Short URLs to obfuscate a little reading the status bar to prevent users who pay a little more attention.
In this particular case, select a topic of current interest to see the curiosity. The redirection is done to a script within the same domain that keeps track of visitors to measure the impact it would have if we publish malicious content.
- Victims Counter
In a rough set of 300 nodes, a Monday 1:30 am, just 40 minutes of publication, this is the partial result:
As much as my contacts to trust me and know that for that reason are free of worry (I hope at least ..), create a habit on the user to supply the level of design flaws by modern applications day.
In this case, is a personal account, with few nodes. Imagine if someone's account with more than 1000 contacts were stolen! Within minutes, an attacker would be layers of stealing hundreds and hundreds of data or compromise the amount of equipment.
Possible solution:
Do not allow users to use HTML tags to create notes: Certainly, there is little "aesthetic" leave the raw URL without changing its name. However, it could be a differentiation between users "Corporate" and "Regular" and give extra permissions to the first most likely make good use of this feature.
Educate the user: Having the "Advance" phishing vector previously reported, we believe in this and in most cases, the most efficient and effective way to prevent an attack, the user and instill discipline will gradually safe practices when surfing on social networking much like any network. Reading the status bar is still extremely important before clicking on any hyperlink.
Source: Gustavo Nicolas Ogawa, from Mkit's Blog redaction
Tags
Recent Posts
- ACK Security Conference – Manizales, Colombia
- Free Courses and Wargame in March
- Facebook or SET ?
- Facebook Simplifies Phishing Attacks
- Information Security Incident Treatment – First Part
Archives
- February 2012 (1)
- January 2012 (1)
- October 2011 (13)
- September 2011 (14)
- August 2011 (5)
- July 2011 (7)
- June 2011 (8)
- May 2011 (3)
- April 2011 (7)
- March 2011 (2)
- February 2011 (2)
- December 2010 (2)
- November 2010 (5)
- October 2010 (4)
- September 2010 (6)
- August 2010 (3)
- June 2010 (4)
- May 2010 (3)
- April 2010 (3)
- March 2010 (2)
- February 2010 (6)
- January 2010 (16)
- December 2009 (6)
- November 2009 (2)
- October 2009 (7)
- September 2009 (12)
- August 2009 (4)
- July 2009 (4)
- June 2009 (4)
- May 2009 (4)