Tuesday, February 17, 2015

This is how e-mails get compromised

Well, at least one of the ways. Had an e-mail come in with a Subject "Important Document" and simply stated "Kindly view the document i attached to you via Drop box," with a "View Document" button.

Seems simple enough. For those that hover over links before clicking on them, you'll immediately notice this button doesn't take you to dropbox, but instead takes you to some tecnomax-ec domain.

Let's click on it! =D

Oh cool, now I can sign in to dropbox with my e-mail! Apparently dropbox decided to change their e-mail service to tecnomax-ec... You know... so as to not confuse people.

So, let's log on using gmail.

I entered my username as thisisafake@gmail.com and a password of yeahright,hahah!! The interesting thing? It takes me to google docs, just as if I'd signed in! Only, as myself!

So in my software proxy, it shows me the POST request sending my fake username and password to tecnowherever, then it returns a "site has temporarily moved" with a link to a public access google docs file. Since I was already logged into google through groups or gmail or somesuch, it can use that session token for all kinds of google supported sites and services, and google docs is one of them. This way, it appears as though I really did log in to view the document (assuming I'd used my actual gmail credentials,) even though what REALLY happened, is that tecnotards just harvested your username and password, then sent you to google docs to minimize the raising of any red flags.

This is sneaky because many sites legitimately authenticate you against your google or facebook account. Be weary when doing this, however, and be sure that the URL reflects one you'd expect for what you're signing into (not tecnomax-ec for dropbox...)

The really scary part? The first time it gave me some kind of high traffic warning and didn't show me the document. I'd like to think that they're all security guys like me who put in fake credentials just for the sake of poking, proding, and trying to find malicious behavior, but something tells me that there are a lot of people out there who are in sudden and dire need of a password change...

No comments:

Post a Comment