In my first blog, I discussed the cyber kill chain and how hackers move through predictable steps to launch an attack against a target. In that blog, I used the example of an author who was targeted because of their controversial writings and the author’s system was compromised with ransomware. In this second post, I am going to discuss the most common cyberattacks and how computer users can become savvy to detect potential malicious activity. While there are many kinds of attacks, I’m going to highlight some of the most common attacks that I see. Additionally, while the technical execution of many of these attacks are different, the methods for detection and prevention are similar if not identical.
The most common way that computers and networks are compromised are through phishing attacks. In my scenario in the first post, the author was tricked into clicking a link within an email that caused the author’s system to reach out to a server and download malicious code. Phishing is a very easy attack to create and is more of a social engineering attack than anything technical.
Sometimes these messages are clearly phishing attacks; the message contains grammatical and spelling errors, it is sent by an organization you never do business with, or it is sent by a prince in Nigeria or the U.K. lottery asking you to claim your winnings. Clever hackers though take time in crafting their message and even if it is blasted to millions of email accounts, all they need is to steal the credit card information of just a few people to make a huge return on their investment.
Below is an actual phishing email that came to me. As you can see, the message looks legitimate and there are no obvious signs of it being malicious. Remember, the rule is to never click any links until and unless you are positive the message is legitimate.
When I hovered over the links within the email, none of them went to the Amazon.com domain. Instead the links all pointed to hxxp[://]greatdeals.gungh.top/system/9d011840a8b905ba79667fa20d0a0936. This URL has since been taken down as malicious, but had I actually clicked the link when the URL was still active, my system very well may have become infected.
In some cases of phishing, instead of getting a link to click, the attacker will send a specially crafted attachment. PDFs and Office documents (e.g., Word, PowerPoint, Excel, etc.) can be embedded with malicious code and once a user opens the document the code may be able to execute. This is why in the latest version of Microsoft Office, documents are opened in safe mode and in order to edit or print, users must click a button. This safe mode prevents the document from running any macros or other code that may compromise the computer.
If you are ever unsure of a URL or a file, there are several free online resources to help. For instance, URLQuery.net allows you to enter a URL and scan it for malware, complaints, or other warnings. It also tells you the country it is hosted in and gives a screenshot of the website you looked up. Another site, VirusTotal.com, is owned by Google and allows both URLs and files to be scanned for malware. If you receive a file from someone and you want it scanned before you double click it, upload it to VirusTotal to see if it’s malicious first.
Drive-By or Watering Hole Attacks
As organizations and individuals have become more adept at identifying phishing emails, attackers have had to change their modus operandi. One such example of this evolution is changing phishing emails so instead of sending an attachment within an email that is compromised or a link that begins the download of a piece of malware, the email (or Facebook post, or Tweet, etc.) sends the user to a website. The website is most likely legitimate and the user’s system would not detect anything suspicious at this point because nothing is attempting to download.
These attacks are called “drive by” attacks because they can indiscriminately target anyone who browses the site, or watering hole attacks because the malicious activity is just sitting in the site, waiting for people to stop by. There have been some very popular websites compromised and embedded with malware such as CNN and Forbes so this kind of attack can be extremely widespread.
How do you spot this attack? Well, this one is tricky and there is a possibility that nothing on your system will notify you that an attack is taking place. Some more advanced anti-malware software may catch it, or if you notice strange things happening on your computer (website crashes, computer begins running slow with high CPU or memory utilization), or being prompted to download and run something may all be indications of a problem.
Wireless Attacks / Man in the Middle (MiTM) Attacks
While it has long been known that Wi-Fi, Bluetooth, and other wireless technologies are vulnerable to attacks, it is still a common and successful attack because people continue to connect to open access points out of convenience or to save their data consumption. Many people do not configure their home wireless access points correctly either, leaving them vulnerable to attacks by people in the area. When I was in law enforcement, I remember a case where an Internet Protocol (IP) address was identified as downloading hundreds of images of child sexual abuse. My team wrote a search warrant and executed it, only to find that the home we went to had nothing to do with the crime. Our investigation later revealed that a neighbor about three homes down was a registered sex offender and had been using this neighbor’s Wi-Fi to commit their crimes. It was a huge inconvenience (not to mention a traumatic event) to not secure their Wi-Fi network and it all could have been easily prevented by taking some basic security steps.
Beyond securing your personal network, you must be extremely careful with the networks you allow your devices to connect. If you are connected to an unsecure wireless network (e.g. Starbucks) anything that your device transmits or receives that isn’t otherwise encrypted is fair game for someone also connected to that same wireless network. Wireless networks acts as a hub, meaning that anyone else connected to that network can see all the traffic, not just the traffic between their own device and the wireless router. Because of this, I can setup my device on the Starbucks network to promiscuously listen to all traffic and capture it, allowing me to compile it and view anything you typed, downloaded, uploaded, etc. as long as you were doing it unencrypted (http instead of https for example). If you navigate to a website that is not using encryption like http[://}yoursite.com and enter a username and password, I can sniff that out of the air and later use it. It is true that more and more sites, especially sites that involve finance or healthcare use encryption because it’s mandated, there are still many sites that do not. The other danger is that most people reuse passwords, so even if your bank uses encryption (i.e., https[://]yourbank.com) but your favorite news site does not and you use the same password between the two, once I get the unencrypted username and password and see in your traffic you navigated to US Bank’s website, I can try your username and password on that site to see if it works. This is another huge reason to always use multifactor authentication on everything (more on this in the next post).
Another wireless attack is called the Man-in-the-Middle or MiTM attack. This kind of attack, which can also be carried out with cellular devices using devices like the Stingray can be very dangerous. In this kind of attack, the criminal creates a rogue access point (AP) and advertises it for users to connect to. On one side of the rogue AP are the victim devices and the other side is a path to the Internet. This allows the attacker to capture, decrypt, and record all of the traffic between the victim device and the Internet. It also allows the attacker to inject malicious traffic or redirect websites using the Domain Name Service (DNS).
To illustrate an MiTM attack, imagine you are seated at the airport and see a variety of wireless APs available to connect to. One has the name of “Free WiFi” and the other says “Free High Speed WiFi.” The “Free WiFi” is the legitimate Internet connection offered by the airport, but the “Free High Speed WiFi” is a malicious AP. An attacker sitting in your general proximity has created an AP using free software on his laptop. As your device scans for open APs it locates the High Speed AP and since anyone would want high speed over standard speed, you click to connect to the high speed AP. Once you click to connect, your device associates itself with the attacker’s laptop.
Now that you are connected to the attacker’s laptop, he essentially owns your device and the communications between your device and the Internet. Since the attacker is routing your traffic through to the Internet, as a user nothing seems out of the ordinary. In fact, the attacker is probably leveraging the airport’s free Wi-Fi to get your device out to the Internet. However, the attacker is now capturing all of the traffic coming into and out of your device and as we have already learned, anything typed in the clear (unencrypted) is recorded by the attacker in plaintext.
The attacker could make things even more interesting by using his laptop as a proxy between your device and the Internet and decrypting your encrypted traffic between your device and wherever you are browsing. Essentially what happens is your device connects to the attacker’s laptop where he breaks your connection to your bank or Facebook account, or whatever it is you are navigating to and decrypts your traffic, then re-encrypts it between his laptop and the destination (we’ll use your bank in this situation). Now the attacker can record even encrypted traffic such as usernames and passwords in plaintext. This attack however, will prompt the user’s device with an error message that the encryption certificate that you are using to visit your bank does not match the domain name of the bank and will require the user’s interaction to continue. If you’re interested in the technical details of encryption, certificates, etc. send me a note and I’ll be glad to discuss it. Suffice it to say that if you get an error message about mismatched certificates (as shown below) on any device there is a high likelihood that the certificate has been compromised or you are the victim of a MiTM attack. No matter the reason, if you get this error, stop browsing, try connecting later from a different access point or from your cellular data to see if you get the same error, or contact the institution you are trying to access.
As mentioned above, the attacker can also inject malicious traffic into your session or redirect your computer. For example, if you type google[.]com into your browser, the attacker can create DNS entries that say if a user types google[.]com, actually send them to duckduckgo[.]com. In an even more sinister scenario, the attacker could create a rule that if you type wellsfargo[.]com, send the computer to wellsfargoamerica[.]com which might be a fake website that looks exactly like the real Wells Fargo (see Pharming attacks below).
How do you spot this attack? First, don’t connect to free Wi-Fi hotspots. If you absolutely must, then make sure you are using a Virtual Private Network (VPN) connection (either through your employer or use some of the VPN services available) which creates an encrypted tunnel between you and the VPN service before you navigate the Internet. Spotting a simple MiTM rogue AP may be nearly impossible. Spotting a rogue AP acting as a proxy will give you the browser certificate error messages shown above.
Pharming and Illegitimate Websites
Pharming, like it’s sister Phishing, is an attack that socially engineers a user. Instead of sending a message out, pharming is more like the watering hole attack where it waits for victims to stop by. Pharming is usually done by an attacker when they create a fake website but make it look legitimate and trick users to visit the site and enter their sensitive information (like credentials). Take this scenario: an attacker knows that because of a recent disaster, many users will be donating money with the American Red Cross on the legitimate website redcross[.]org. So, the attacker uses a free tool to “scrape” the actual Red Cross website, purchases the domain name of redcross[.]info, and then uploads the copy of the real Red Cross website to a server being hosted with Amazon Web Services (AWS). The attacker then begins a massive spam campaign for people to donate and provides the link of redcross[.]info and as people go to that site, it looks completely legit just like the real site. Users begin to donate millions of dollars to the PayPal account, which all goes to the attacker’s bank account.
This kind of attack can also be used by taking advantage of common misspellings or known letter combinations that people may not notice in the URL bar of their browser.
How do you spot this type of attack? This one may be difficult or impossible. Since nothing malicious is actually running on your computer (unless the attacker is combining Pharming with another attack) and you are just entering information into a website, there may be no signs or alerts at all. The best way to prevent this type of attack is by being very careful what you type into the URL address bar of your device, using known good bookmarks instead of relying on searches each time, and if you are given a link to click, make sure it matches the known website. Sometimes if I get a link from someone to follow, instead of clicking the link I will Google the organization and go to it that way, or at least confirm that what was in the link matches what is in Google.
In all of these attacks the bottom line is to pay attention, don’t click links that you don’t absolutely trust, actually read error messages that pop up on your screen before just clicking “OK”, don’t connect to public Wi-Fi APs, and make sure the certificate of an encrypted website you are visiting matches the domain name. In the last post of this series I will discuss the preventative strategies you can take to help harden your systems from attack and some proactive steps you can take to reduce the likelihood of being compromised.