Martin Bos and Eric Milam are now singling out some attributes of a successful attack, such authenticity of secure login page, excessive requests script, etc.Martin Bos: So, then what we do is we log in to our free GoDaddy email account, firstname.lastname@example.org. And what we do is we just save it in templates, so we’re good to go, and then we can blast it out to whoever we want. Here’s our email (see image). Like Eric was showing, you can see at the bottom we got the actual Humana footer down there, so it’s legit, right? We call it “Information Security Audit Report Findings,” the whole nine yards, the priority, of course, is high. And we send that off.
Eric Milam: Normally, it’s limited by 100 people in the Bcc, so you can see if we have 1800 people we’re going to send it out 18 times, it’s another reason why we create the template. It’ll pop up every once in a while and ask you to do the captcha to make sure you’re not a bot sending out these emails. But you can send out 10 within 10 minutes.
Martin Bos: Alright, as I said, I’m using my corporate VM, so I’m picking on my own company, nobody else’s. Dave’s Java applet, I’ll show you, does this really cool thing, but it sucks for demos. So, let’s make sure our listener’s up, and once again, this isn’t revolutionary, everybody’s seen Dave do this Java applet in the SET. I just installed the newest version of Java this morning.Eric Milam: The note says it is safe. Right there they see in bold: it’s safe, I’m at the Humana site, it’s secure, I see the lock, I see the security notice (see left-hand image). And one thing you can’t see is this: “Always trust content from this publisher”.
Martin Bos: Yeah, it doesn’t show right up in IE9, this is IE9, by the way; so it doesn’t show up, but Dave has it, so it autochecks this “Always trust content from publisher” box, so I’ve got to go there and delete this certificate all the time, because I forget. Once again, this is not new, this is not revolutionary, it’s been said forever, but what we want to show here is that Dave was able to go out and register a company and, basically, get a code signing certificate for this applet, all for under $1000, really cheap, and anybody can do this.
And you can basically call the company whenever you want, it’s safe, and this is the kind of thing that we like to do at Accuvant: we like to code sign our binaries, we like to do this type of thing, and the reason is that it is so cheap to do, and as soon as people see that it’s verified by a publisher, they’re good to go. And so, once again, this is pretty normal, but we always try to uncheck this. I don’t know why it doesn’t show up in IE9, it’s kind of annoying.
Eric Milam: You can change that name to whatever you want: if you’re targeting Humana, you can make it Humana Inc. or whatever. Basically, what we did is we set up reverse DNS so that it says Humana.com. So, you notice here we’ve got our standard shell, nothing new here.
Martin Bos: We actually customized our website a little bit, because in the beginning it didn’t do quite what we wanted, but now Dave’s does, so we’ll probably be switching this up a little bit. But the other two things that it does here is, obviously, this logs to a file just like the credential harvester, and then, once again, if you have trouble logging in, you can go down here and you can run the helpdesk.exe.
Eric Milam: Also, when you can’t login, all it does is go to an Excessive Requests page (see image below), and that’s why we get a lot of emails back from the users that basically just say: “Hey, there’s excessive requests, the server’s down, I will try again later.” And that’s another reason why they have trouble logging in: I’m using web credentials I’m not supposed to use, that type of stuff. So, that’s normally something they go after as well.Martin Bos: Yes, we like this better than the 404 page. Excessive Requests, it still looks the same, it’s not an error message, really, it’s like a custom page. And it makes sense, because everybody in the entire company just got this email and they’re all trying to download the PDF at the same time, so this looks legit, right?
Real quick, if anybody’s interested in that Jigsaw script, it is in Backtrack, but it’s also up here at https://github.com/pentestgeek/jigsaw, if you want to download that and utilize it. If you’re interested in the real Jigsaw website, it’s right here. You can actually just sign up for free and browse the site. The script takes advantage of a flaw in their API, but you can just create an account, log in and get that information that way.