Saturday, January 30, 2016

How to make friends and make them click on links


A while ago I had some fun with the attacker of a hacked e-mail account.

I will call the victim Mary so I can guarantee her anonymity. I know Mary for a couple of years now and as most people you exchange email addresses at some point.

The initial message

Mary's Yahoo account was hacked and I got contacted by the attacker with the following message in French

Can you reply to this address I have something important to tell you but I want you to be discreet.


Social Engineering the Attacker

This didn't match our style of communication but it came from her account so I replied with the simple phrase "No Problem" and "Or you can call me, I am at the office.".

About 10 minutes later I had a reply but interestingly it came from a mailbox but the name was an exact copy of Mary's. The content of the email was:

Thanks for having replied to my email. I am currently in Portugal for important business. I am here for a couple of days and did not have the time to tell you about it. I got into a taxi and forgot my handbag that contained my phone, credit card, money and other stuff in that taxi. The only thing that I still got is a TransCard that I would like to put some money on. I would like you to buy for me some vouchers so that I can at least deal with the hotel costs and transport. If I can count on your help, I will instruct you what you need to do.

Now this was funny because Mary would first of all contact her family and she doesn't do business trips abroad as far as I am aware. But I wanted to know more about my new friend. Let's call this person from this point Bob, just for clarity.

I contacted the real Mary and explained her what was up with her account and she got contacted already a couple of times that morning by her circle of family and friends.

I replied to Bob:

Hello Bob,

I fully understand you are going through some hard times but don't worry we got you your back. I am sorry but for the next couple of hours I will be in a meeting and will not be able to reply to you.

In my next email I asked Bob for detailed instructions since I am a good friend and will provide 500 EUR. This made Bob eager to reply. In his reply he explained me that he wanted me to by e-vouchers and send him the codes so he could do the rest.

Figuring out where Bob is

To figure out where Bob is I had set up a web page with a copy of an error 503 page. There was nothing wrong with the server of course, it responded with an HTTP 200 but the page looked like an Apache 503.

To "obfuscate" a bit the URL I made a bitly url and crafted my email for Bob:

Dear Mary,

As promised I bought a 500 EUR voucher at the store, I've uploaded it to a web server since I have sports tonight. Here is the url. If you need more money let me know.


The URL text showed in the mail as a regular URL ending in scan.jpg. The HREF of the a-tag was set to the bitly address.

Bob clicked a couple of hours later and was located in a Nigeria. He got back to me to tell me that something was wrong with my scan. This clearly illustrates to me that he only knows how to phish but lacked the technical knowledge to analyze my bait-mail

The clean up

It seemed the criminal had taken over her account and set up mail forwarding to the mary @ account. Besides cleaning that up, Mary added two-factor authentication so that it will become harder to hack her account again.

The reason why Mary's account got hack was an easy to crack password. When she told me the original password it was clear that it was a word that appears in dictionary lists and the number at the end was a classic too. Now she has picked a more complicated password. A good thing was that the original password only gave access to her mailbox.

No comments: