Blog de Matias Katz Hablamos un poco de seguridad?

31Oct/110

Facebook or SET ?

The title refers to SET (Social Engineering Toolkit), as proven repeatedly and sometimes acts as a platform facebook spread of phishing.

Again, we observed a modest, permissive design error by Facebook that allow an attacker to generate a vector for the spread of phishing. Again, there are no reports so far on the misuse of this feature.
Previously published an article that is directly related to this attack: Social Engineering via "I like" button, if not read it yet, we invite you to do a quick review to a better understanding of the possible combinations.

As detailed in the previous article, an attacker can make the design decision to increase the reliability and reputation of a note, and then modify it and post links to malicious content in it. In this particular case we add the possibility of generating 2 new additives that make it "striking" the note when you click on a link course harmless.

First, we can insert photos in the note, something known long ago. In our case we were able to insert the image from an external URL using HTML code on the note.

Example:

<img SRC="http://www.mkit.com.ar/imagen.jpg" alt="imagen"></img>

Second, through trial and error, we insert a "a href" with the possibility of moficar name hyperlink.

Example:

<a href="http://www.dominiomalicioso.com/malware.exe">http://www.mkit.com.ar/blog</a>

Again, an attacker can "hide" Thanks to these features, the redirection to a contaminated site or with an elaborate hoax to make the user to fall into their trap.

In routine testing of the operation of "Possible" attack, we see certain behavior:

  1. If you share the note on the wall and, if added as a hyperlink name the expression "http://", and try to click on the link of note in the wall, you will be redirected to the site says the NAME of the link no matter what the "a href". in the example above, it redirects to "http://www.mkit.com.ar/blog" instead of "http:// www.dominiomalicioso.com/malware.exe ".
    Wall Redirect WITH "Http://"
  2. If you share the note on the wall and, if not added as no expression hyperlink name such as "http://", it appears in the publication of the wall as plain text, if you ever get into the preview of the note.
    Wall Redirect WITHOUT "Http://"
  3. If you try to click on the hyperlink in the note, then in any way going to be directed to the point where our "a href".
    Redirect From Inside the Note

We may also use Short URLs to obfuscate a little reading the status bar to prevent users who pay a little more attention.

In this particular case, select a topic of current interest to see the curiosity. The redirection is done to a script within the same domain that keeps track of visitors to measure the impact it would have if we publish malicious content.

Victims Counter

In a rough set of 300 nodes, a Monday 1:30 am, just 40 minutes of publication, this is the partial result:

As much as my contacts to trust me and know that for that reason are free of worry (I hope at least ..), create a habit on the user to supply the level of design flaws by modern applications day.

In this case, is a personal account, with few nodes. Imagine if someone's account with more than 1000 contacts were stolen! Within minutes, an attacker would be layers of stealing hundreds and hundreds of data or compromise the amount of equipment.

Possible solution:

Do not allow users to use HTML tags to create notes: Certainly, there is little "aesthetic" leave the raw URL without changing its name. However, it could be a differentiation between users "Corporate" and "Regular" and give extra permissions to the first most likely make good use of this feature.

Educate the user: Having the "Advance" phishing vector previously reported, we believe in this and in most cases, the most efficient and effective way to prevent an attack, the user and instill discipline will gradually safe practices when surfing on social networking much like any network. Reading the status bar is still extremely important before clicking on any hyperlink.

Source: Gustavo Nicolas Ogawa, from Mkit's Blog redaction

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , , , , , , , No Comments
28Oct/110

Facebook Simplifies Phishing Attacks

Again, we present a 0 day in facebook phishing techniques. Fortunately we have not seen the technique in operation. Through continuous research of the platform, we can deduce certain vectors of attack to warn security experts and developers, before the vectors are exploited on a massive scale, thereby reducing their future effectiveness.

Every time we post a link, either on our wall or the wall of someone else's content is generated which Facebook calls "Preview"

After copying the link in the sector to make the publication, the preview is generated and provides information on one page which redirects to the link, read Domain Name + Forwarding link .

If we wanted, we could delete the link to the publication sector and make it look just the preview.In this way alone would be enough to click on the image preview or Link to be redirected.

Post Without Link on Comment

In the same way, we could post malicious content as Facebook allows us to Link more than 1 content by post, but only allows one preview.

2 links in 1 Post

As we see in the image appears in both the preview link + Hotmail, and also appears in the Comment link for Gmail.

Now, taking advantage of these facilities provided by the application and making the URL shorteners, an attacker would be able in theory, to increase the chances of getting infected by a single publication containing 3 directions:

  1. Malicious link
  2. The name of the alleged link to be redirected
  3. Original link

Looking in detail the image with true redirect can distinguish the following:

  1. Text Comment from FB.
  2. Name hyperlink (Sign In).
  3. Link in plain text (login.live.com).
  4. Review of the page.

Looking in detail the false image redirect we can see:

  1. Comment Text Short URL FB + (A PoC mode redirects to gmail.com) ---> It prompts the user to login from the link.
  2. Hyperlink Name (Sign Up) ---> Sign Up If pressed, the redirection would be to the origianal site, so its modification to avoid in a way that the user clicks. Sign Up = Register.
  3. Comment on the page:

If you want to log on, follow the link above or the following LINK: http://goo.gl/93aP6. To create an account SIGN UP tighten

Another example:

Malicious

If you use a service to "Unzip" we cut the link produces the following result:

Expand

Featured Site: http://longurl.org/

As shown in the result, the redirection is done to http://login.liveS.com/ which is not the same as https://login.live.com/

There are 4 key factors in the attack:

  • Facebook allows us to write more than 1 hyperlink per publication
  • Facebook creates a "Preview" page
  • Facebook in the preview, make a detail of the "name link" (manipulated)
  • Facebook lets us modify the contents of the publication.

There is a negative factor in the attack:

  1. The original redirect hyperlink preview CAN NOT CHANGE. Ergo, even if the attacker changes the name of the redirect link, if the user clicks on that link, it will be redirected to the original anyway.

From the Negative factor, we deduce (very easily), that the chances of effectiveness, are reduced to 50% as 2-1 link with redirection leads us to an attack site, and 1 leads us to the authentic site. However, as demonstrated in the case of Sign In / Sign Up, would achieve a diversion "semantics" of such redirection.

Of the key factors of the attack, we can deduce:

  • A user easily fall into the trap of being a phishing 0 day.
  • Previewing increases the reliability of the redirection
  • Facebook it increases the reliability of the publication
  • The "Link Name" is the second key to phishing because we can change at will, thus increasing the reliability provided by the user to click.

To avoid falling victim to a phishing scam of this nature, we recommend a conscious use of social networks. Do not trust everything it seems.

- Read carefully the status bar posing the mouse over the hyperlink to see the direction it points.

- If it is a "Short URL" enter somewhere expansion redirection links to view original.


Source: Gustavo Nicolas Ogawa, from Mkit's Blog Redaction

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , , , No Comments
23Feb/110

Segu-Info poll about phishing

Segu-Info, the biggest spanish-speaking information security community in the world, is conducting a poll to review the level of knowledge that internet users have about issues relating to phishing.

The poll is completely anonymous and quick to complete (less than a minute), and doing it will collaborate to establish the existing levels of awareness regarding phishing.

Link to the poll (spanish): http://segu.info/enc1

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , , No Comments
17Aug/109

Home-made phishing attack

I thought about seeing how far I could get when trying to assemble a phishing site.

First, I chose a provider, in this case Gmail. Then, I downloaded the original login site and did the following adjustments:

  1. I cut all communications the site did to Google
  2. I changed the user and password information destination
  3. I manually added a Favicon from the provider's official icon repository
  4. I created a new script that receives the information sent from the login site and shows it on-screen

The finished product turned out to be a Gmail home site, dangerously similar to the original, with a behaviour dangerously different.

In order to really know how easy is to make this part of the attack, I can tell you that it took me approximately half an hour of a very relaxed work.

For this to be a full Phishing attack, the next step would be to deceive the user into entering the address where the site is being hosted, believing he's entering Gmail's real site.

I will clearly NOT ease that task for you, but I will leave you with the login site, that independently is harmless.

I invite you to test the site (by entering fake credentials, obviously).

Next provider, Facebook :)

Link: http://www.matiaskatz.com/gmail/

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , 9 Comments
20Oct/092

New Mail Phishing Attack with reference to Claro (mobile phone company)

Today arrived to our generic inbox an email with a supposed attached picture, sent from a mobile user from Claro.

The link inside the email pointed to an executable file.

This is not the most intelligen phishing attack that ever existed, but it's worth showing so nobody falls for it.

Here is a screenshot of the email.

Claro

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , 2 Comments
   Older Entries »
View Matias Katz's Company

View Matias Katz's profile on LinkedIn View Matias Katz's profile on XING

Tags

barcamp Blog Capacitacion Charla Cloud Computing ClustrMaps CXO Dilbert encriptacion Entrevista event Evento Facebook Flisol Google Hacking hosting HTTPS IIS Ingenieria Social Interview iSCSI Target Linux Metasploit Mkit multiples dominios news noticias phishing provisioning Redes sociales San Security Seguridad Seguridad Informatica Social networks SSL Starwind Talk Training video virtualizacion web server website Windows Server

Recent Posts

Archives

Locations of visitors to this page