I thought this article by High-Tech Bridge SA titled Drive-by-login attack: the end of the safe web was fascinating and scary at the same time.
You're a bad guy. You need information from a specific user. Instead of social engineering the user with a phish, here's another angle.
1.) Identify the websites the user frequents
2.) Recon those websites for known vulnerabilities
3.) Exploit one of the vulnerabilities to gain control of that website
4.) Inject malicious code that only executes when that particular user accesses the website
5.) After the user visits, remove your malicious code
An example of malicious code could be a simple popup window that prompts the user for the data you want, and posts the response back to your malicious website.
Another example might be to insert code that download a customized piece of malware onto that user's computer.
In this particular article linked above, the malicious PHP code basically says "if(IP == my victim && EMAIL = my victim) { do something }"
And then the code says later, if the attacker requests the same page but appends "?del" to the url, then everything is cleaned up and restored back to normal.
I have personally seen this type of attack before, but it was targeting a group of people, not a single individual. But this seems like the logical next step for attackers in sophisticated attacks. Hit the 1 guy you want, clean-up, and move on.
If you think about it, unless you're doing file integrity monitoring something like this could go completely unnoticed on your web server. The malicious code only ever executes for a single user, and the malicious code gets removed almost as soon as that victim leaves the site.
Stay vigilant and harden those systems!
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment