Anatomy of a Social Network Spear Phishing attack

Targeted Spear Phishing Attacks exploiting client-side vulnerabilities have been on the rise for years. These type of attacks ‘trick’ and end-user to either visit a malicious website or click on a malicious link (which may, or may not appear to be legitimate).

I’ve seen this happen many a time. Each time is slightly different. Because as a hacker, the possibilities are almost endless in the ways and methods you can use to pull of a successful attack. You are only limited by your creativity. (Or, THEY are I should say *ahem*)
In this article I will try and do a brief run down of a simple method which I have seen in the wild. The audience this article is intended for is not for hackers, it’s for people that want to be aware of the types of attacks which they may fall victim to and how to prevent it from happening to them.

Spear Phishing attacks can have numerous ‘end games’ associated with them. This has been the most popular method in recent times for hackers to gain access to huge corporations and banks. Usually with the goal of stealing private company information to stealing millions of customer’s credit card numbers which are then sold on the cyber black-market.

What makes Spear Phishing so successful is the fact that you are exploiting human weaknesses more so than technical weaknesses. If a company spends hundred of thousands of dollars on the latest state of the art Firewalls, Intrusion Detection/Prevention technologies and expensive all in one Anti Virus suites their users, then they may operate on a misguided sense of security.

What happens if a staff member receives an email or a social network request from somebody they believe they know and which seems legitimate? If they click on this link or open this attachment, then those hundreds of thousands of dollars of security equipment is now pointless.  (Staff Security Awareness Training is key here. Check out my other post on how to do this properly)

I’ve already covered this briefly in a post about a pentest I did which results me in getting free beer by tricking a personal assistant to think I was a colleague who added her to Facebook (here).

So I will take this post to a home user level. I’ve already covered the potential dangers of having your Identity Stolen by using either poor Wireless Networking security or poor Modem/Router security (here). But I will direct this to the dangers of Social Networking.

The attack (Wrong friend at the wrong time)

Vickie loves Facebook. As soon as she gets home from college, she is all over that shit like a Japanese  school girl at Hello Kitty convention. She has about 800 friends, which she is very proud of. It has taken her a long time to get 800 friends. She probably only knows about 50 of them in real life.

One of her 800 friends, and one of the 50 she actually knows is a girl called Mary McFly. Cool last name, can’t say the same about her first. Both Mary and Vickie often exchagne pleasantries over Facebook and post random shit on each others walls.

This night though, Vickie got an email from Mary’s Hotmail account.

To: <blank>

From: Mary McFly

Subject: Mary has tagged you on a picture on FaceBook Losers!

If you have received this email. It indicates that Mary McFly has tagged you in a photo on Facebook Losers. If this is not you, please notify us. http://facebooklosers.servepics.com

The Facebook Losers Team.

“What the hell is Facebook Losers!? And why am I on it!” Vickie exclaims, clicking the link with vigor.

Facebook then appears on the screen. But the URL is facebooklosers.servepics.com. “This looks normal, I guess you just log in with your Facebook ID to get access” Vickie thinks to herself as she puts in her Facebook credentials.

Once she hits ENTER, the screen flashes and the Facebook login screen appears again (not noticing that now the URL is facebook.com). Trying her password one more time, she logs in to find that she has logged in to Facebook. “Hmmm I don’t see any more Facebook Losers on here than I did before… weird”. Vickie dismisses all of this as some sort glitch in the Matrix, and goes back to posting pictures of Kittens on people’s walls.

The attack (Victim’s point of view)

Mary gets a call from one of her college buddies, her name is Vickie. Vickie has a reputation of being a bit of a skank, but Mary finds her antics both humerous and refreshing.  “Hey what was with that email last night? The link didn’t work…”. Mary knows she didn’t send any emails last night, for she was busy in the back of her brother’s car until sun up. Perplexed, Mary tries to log in to her Hotmail account to see if Vickie is telling the truth (she has been known to lie in the past). Mary discovers that her password no longer works. “What the hell!?” She vents in frustration.

She tries a few more times but to no avail. She isn’t sure if she has forgotten her password, or someone has changed it (she did have a heavy night of drinking with her brother the previous night after all). Mary clicks on the ‘forgot password link’ and proceeds to go through the steps to reset her password.

Mary enters her mother’s birthplace, ‘Hell’… but it STILL doesn’t work (which is strange, Mary knows that is indeed where her mother is from). After trying several times with nothing working, and with the voice of Vickie’s phone call still ringing in her ears, a sad wave of realisation rolls over her. SHE’S BEEN HACKED!

The Attack (Hacker’s point of view)

Enter Marco. Marco is a juvenile hacker with not a great deal of skills, but too much time on his hands. He recently stumbled onto an underground website dedicated to cyber crime. He noticed that people were selling and buying things like stolen credit card information, 0day exploits and viruses, people’s identity information and so on. Marco thought this would be a good way to make a quick buck. He already read an awesome blog post by an even awesomer guy called Marts McFly on how hackers can harvest personal details off people’s modem/routers using things like Shodan and Wifi. So he knew that he would pull this off, but his thirst for money got him to branch out into social networking.

Marco knew that young girls/women are easy targets for this type of attack. (Marco doesn’t mean to be sexist, it was just his observation. If he wanted to target a corporation, then it would be different)

Browsing through Facebook, he noticed that every young woman who had a scantily clad photo as their profile picture had hundreds, if not thousands of friends. It is high-school drama all over again. Girls competing for the most friends and showing pictures of their drunken under-age conquests on the weekends. (Oh to be young again)

Marco cracked his neighbour’s wifi and set up a fake profile page. He didn’t use TOR, as experience has shown Marco that Facebook picks up overseas attempts and makes you jump through security measures to try and get access back into your account. So his neighbours wifi was the safest bet for now.

He browsed through Google images until he found a picture of a young man taking a photo of himself in the mirror. One that looked as pretentious as the girls he was about to target.

After filling out his profile complete with purposely put grammatical errors, saying he was interested in emo music with plenty of ‘lols’, he was ready to begin.

He first searched for girls in a particular region, and started friend requesting the ones which had the most friends and public profiles. These girls are more likely to hit ‘accept’ without really checking. Having more friends (especially pretentious young male friends) is what they pride themselves on.

After a short time, Marco had 20 friends. All he was using was the ‘suggested friends’ menu on Facebook which were already friends of his new friends. When a new person gets Marco’s friend request, they will see that Marco is already friends with 20 other of her friends, so she will more than likely accept.

Marco does this continually over a week or so. Slowly building an empire of contacts. Posting juvenile things on his wall every now and again, and deleting anyone that posts on his wall asking who he is.  He is sure not do this process to hastily, otherwise Facebook will detect this and thwart his efforts. He also has to be sure that no one reports him as a spammer. Selected friendship adding is what is required here. The scantily clad drunken girls are where Marco has to focus on.

After a week. Marco has over a hundred new friends. Most of them college girls who haven’t bothered to enquire too hard into who he is. Marco then starts going through their profiles, looking at their ‘info’ page and finding their email addresses.

Every single girl had their e-mail addresses (and mobile phone numbers) displayed to their friends (and Marco). 90% of these were Hotmail addresses. Marco cringed at the thought, but didn’t have much of a choice.

Marco would then copy a girls email address, go to Hotmail and go through the ‘lost password link’. He would have a look at their ‘secret question’. Common ones were ‘Best childhood friend’ ‘Mother’s birth place’ ‘Favorite pet’ etc.

Marco would then look around the girl’s Facebook profile, doing keyword searches for whatever he was looking for. One of the girls secret question was ‘Your first car’. Now most of these girls were still pretty young, and probably only ever owned one car up until this point. So he would browse through the victim’s photo albums until he found the victim, standing next to a car. A red Mazda. “Like shooting fish in a barrel” Marco laughs as he logs into the girl’s Hotmail account, changing her password in the process.

Next victim was a girl called Mary McFly. Mary’s secret question was ‘Mother’s BirthPlace’. Marco looked at Mary’s friends, and did a friend search for the name ‘McFly’ (her family name). A few results came back. One seemed to be her Father. One seemed to be a creepy looking brother called Marts. Then BINGO, the Mother. Marco clicked on the Mother’s profile, and to his pleasant surprise, her profile was public. “Poor old people” Marco thought. Firs thing he saw on Mary’s mother’s profile, was where she was from. ENGLAND! The mother land. With that, Marco goes through the reset Hotmail process for Mary, changing her password and her secret question in the process. He now owns her account as well.

Now if Marco wanted to, he could now reset Mary’s Facebook account, or any other website she is a member of (as he controls her email, the same email where any website will send her a reset link for authentication purposes).

Marco’s goal is to use Mary’s email account, and send out a convincing email to all of her contacts, coaxing them to click on a link (Multi-Pronged Spear Phishing Attack). Once a victim clicks this link, it will hopefully capture people’s login credentials for Facebook. When he has enough of these Facebook credentials, he plans to sell these to a group of hackers who will then most probably do a mass Facebook Spam run to net victims into a botnet.

He is using the Social Engineering Toolkit (SET) which is on the BackTrack Linux distribution to do his dirty work (Which is a free LiveCD hacking framework that runs on Linux).

SET allows Marco do all sorts of things related to phishing and spear phishing. But the one particular function he wants to use is called ‘Credential Harvester’ which he uses in conjunction with a clone website feature which will make a replica of any website he chooses to trick his victim’s into entering their login details. In this case, it is Facebook.

On his hacked neighbour’s wifi, Marco signs up to http://no-ip.com and sets up his neighbour’s external IP address to point to a domain name of his choosing. He comes up with ‘facebooklosers.servepics.com’. He then logs into he neighbours Netgear ADSL router (using the default ‘admin’ password) and sets port forwarding for port 80 to his virtual machine running Backtrack and SET.

5 minutes later, Marco tests that everything is working by browsing to http://facebooklosers.servepics.com. He is greeted with a Facebook login. SUCCESS!

The next part of his attack is to get as many people he can to click this link. He can’t just spam the link on Facebook, because Facebook is ‘pretty good’ at preventing in-system spam. Most of the No-IP domains are blacklisted and Marco doesn’t want to go to the trouble of buying a domain name just for this purpose.

So this is where Mary’s hotmail account comes in handy. He goes into Mary’s contacts, finding hundreds of people which were connected to her on Facebook. He selects them all and adds them to the BCC field and shoots off a cleverly crafted email to these hundreds of people.

To: <blank>

From: Mary McFly

Subject: Mary has tagged you on a picture on FaceBook Losers!

If you have received this email. It indicates that Mary McFly has tagged you in a photo on Facebook Losers. If this is not you, please notify us. http://facebooklosers.servepics.com

The Facebook Losers Team.

This email will not go into the SPAM or JUNK email boxes of the recipients, as it is a legitimate account he is sending this from, not a spoofed address.

Marco only has to wait a few minutes, and on the SET console he sees people entering their Facebook logins directly to his screen in real time. He couldn’t help but laugh at some of the funny passwords people were using. ‘ilovecox’. “Wow…” Marco thought, shaking his head in amusement.

He also does this same attack by making another fake website looking like Hotmail. Getting people to log in to verify who they are before they can see themselves posted on ‘Profile Losers’. And he continues this until he has thousands of Facebook accounts under his belt.

Facebook accounts that have a large number of contacts (real, not made up) can sell for a decent amount if you get enough of them, as other ‘more serious’ hackers will use these to spam malicious links, potentially getting thousands (up to millions) of people into a botnet of their choosing, and planting keyloggers and stealing both financial and private information in the process.

How to prevent this from happening to you?

I am hoping that the outlining of this post did a good enough job of showing people where the victim’s had failed in their lapses of security.

  • Secret questions on email accounts. You may have set up your email account 13 years ago, and forgot you even have a ‘secret question’. So do me a favour, and go check. Then change it to something completely random that only you will remember the answer for. And for god’s sake, don’t have that information on Facebook
  • Don’t accept people on social networks you don’t know! Don’t do it people. I know it feels good that your ego is being stroked every time a new friend adds you. But there is no purpose for it. All you are doing is allowing strangers into an area where they can potentially victimize you in various ways (personal, financial, anal). It has been shown lately that certain government services are doing this type of thing regularly, to harvest information and connections of citizens. (Thanks guys)
  • Don’t click on strange links or open attachments! Even though a trusted friend has sent you an email with a link, you need not click on it. It is very hard though as humans we trust people we know. These attacks take advantage of this trust. Best solution is to contact the person via another means (phone) and verify the email. You will probably sound like a loser but that is the price you pay. With emails, the best thing is to have a Gmail account, and use Google Viewer to view attachments, this is the easiest and safest way at the moment.
  • Other general security Just browse my website and you will be sure to find other related articles complete with security tips. Feel free to comment :)

6 thoughts on “Anatomy of a Social Network Spear Phishing attack

  1. Awesome post.

    I’ve heard about this happening a lot. Never heard of the Social Engineer Toolkit. Sounds like it shouldn’t be made public!

    Cheers for the entertaining read ;)

    JK

  2. I don’t think people will ever learn not to post so much of their personal lives on the web. I also don’t think people will care about the dangers if the provider is not automatically protecting their privacy for them. We see this time and time again. Sigh…

  3. Nice post. Quite informative.
    And SET has been my favt tool from last few months(obv after Metasploit) . :)

    P.S. : I love your writing style!

  4. I have clients and associates that would find the article helpful. Is it ok to forward the article without getting into trouble? Usually the articles are sent out to the public as a newsletter or an rss feed. I am not changing it or hiding the author, simple sending and saying “this might be of interest to you.”.

Comments are closed.