These days Social Networks are not just way to find your friends & stay connected. Now days they've become an important tool of marketing for all the people who main blogs, websites, forum etc. If you are a user who has been on Social Networks since a long time, I am sure you'd say that Social Networks aren't for people anymore, they are for spammers! I have been analyzing few Social Networks in last few weeks as a part of a project that I was working on. RESULTS WERE SHATTERING! Here in this article I am going to talk about some points which would make you look at Social networks in different way!
I was assigned on a case by one of my friends who works with Mumbai Cyber Cell, which is basically Internet Cops, but unfortunately they are not equipped and knowledgeable to solve some high profile thefts & scams. There was this lady who was wife on a big Business Tycoon in Mumbai. I can not disclose specific names due to confidentiality. So this lady's Facebook account was hacked. She had about 800 friends in her account, most of them were millionaires & rest were business friends. So the attacker who broke into the account, sent messages to all her friends saying that "Help me help the poors, send your donations via Moneygram OR Western Union". Almost 7 Lacs were stolen on the name of Donation just in 5 days & this lady didn't have a clue whats going on.
Until, one day one of her friends were talking to her on cell phone and she asked her as in what happened to the charity and how is it going, that's when she got to know whats going around. Recovering money was taken care by Local Cops, but the task to understand how it could happen was assigned to me.
- Trojans, keyloggers, malwares?
First of all I had to understand if it was a hack into victim's direct computer OR only just specific to Facebook account. I had a chance to analyse HDD of victim & after checking the HDD , registry strings, it seemed that there was no infection of malware, trojan, keylogger etc. Neither there was any network spoofing done remotely. So it was clear that the BOX wasn't hacked & the hack was specific to Facebook account.
- 0days & exploits of facebook?
Later on, I was given access to the Facebook account. I started my work with searching for any latest 0days found for facebook. Because in most of this cases, attackers use 0days which are not patched on the websites. Surprisingly, on that time there was 0days released. All available exploits, were already fixed.
Victim was novice computer user. So I spoke to her regarding if she was remembered something where she was asked to confirm the username & password before she could view next Facebook page. But she said, that she haven't used Facebook in last few days and couldn't think of any such thing happening. I had to assume that it wasn't a phishing attack, as it was difficult to make the victim understand about phishing. Also, she confirmed that there wasn't any other account with the same password of facebook.
- Something new in facebook?
Since there wasn't any known attack on her, it was getting difficult to identify the cause. I started analysing her Facebook usage patterns. Turns out that most of the time she would be playing games and other stuffs using Facebook application. There were about 5 applications which were installed in her Facebook account.
- Inside of Facebook applications:
After some research & talking to few friends who developed few applications for Facebook in past, It was easy to understand that most of the applications are designed by an individual & team of individual, who are not really concerned with the security issues that might occur. SInce there only 4 applications listed in her profile, it was not raelly tough to go through them one by one. SURPRISINGLY, each of them had one or other vulnerability.
Ultimately, after going through each and every applications, I got to know that the method that was used is knows as "REDIRECTION VULNERABILITY". In this vulnerability the actual website i.e. facebook.com, redirects the user to that application. But an attacker can modify the URL and redirect the user wherever he wants. A tutorial about redirection vulnerability is posted HERE.
So there is this application called "Quel endroit le plus absurde serait parfais pour vos debats sexuels". Using this redirection vulnerability, victim was sent to a COOKIE STEALING PAGE, which sent the cookie to attacker & after victim was redirected back to facebook. So it is acceptable, that novice users would not even understand what exactly happened. Using these cookies, attacker used to login to the account and talk to victim's friends for charity! AND MY JOB IS DONE .
After completing this task, it made me think how safe is it for people to use Social Networks. Forget about the spammers & marketing people, I am talking about all legit and novice people who just use it to talk to friends. SURPRISING thing was, 4 out of 4 applications that I tested, turned out to have some or other vulnerability in them.
So after working on it, I can recommend to everyone who is reading this as below:
"Use social networks, there is nothing wrong in them. These social networks are big companies & they have a dedicated team for security. So there are not many things that a hacker could take advantage of. BUT, the applications in them are made by starters, individuals & small timers. These application developers do not really care about the security, all they want is, people to use this application so they can get some advertisements to put on the applications and make some bucks out of it. They really are never concerned about the consequences. Amazing part is, even Facebook allows all the application to be released before getting them tested to their own satisfaction."
I hope you'all found this article interesting. If yes, then comments and questions welcome! I worked really hard to solve this case for about 3 weeks. Ultimately, I was mentally satisfied with what I have done. This attack proves that Hacking Attacks change for every hacker . I have listed the detailed information about this vulnerability HERE.
Newmanaza like this