Quantcast

The Lifecycle of Cybercrime 3: Demos of Exploit-Based Data Theft

In this part of the keynote Nicholas Percoco demonstrates the flow of a typical personal data harvesting attack based on the use of common exploits.

Now what I want to do is change gears a little bit. We talked about the major methods of attack, and so I want to share with you a little bit of an attack demo. In this demo, I’m going to show you this attack in two different ways. We talked about the web-based attacks, and this is something we’ve seen growing over the last several years, where when organizations are infiltrated they’re basically getting attacked via, say, a ‘watering hole’ attack, or a targeted attack against someone they know within the organization who has access to information.

Directory with private files

Directory with private files

So, what I want to show you – you hear a lot about these types of attacks but many of us haven’t really seen what they actually look like in action. I’m going to show you two different flavors of it that actually have the exact same end result and the setup is the same, but it’s using two different types of exploits. So, what we have here is Work directory (see right-hand image); pretend this my computer here, I have procurement documents and some other confidential files, e.g. My Passwords.txt – really secure method of storing my passwords.

IE crash that occurred

IE crash that occurred

But I also have this evil site, and this is not something you normally would see on your computer, but for illustration purposes this is an ftp site out there, someplace out on the Internet, that’s being controlled by the attacker. So, now I’m going to launch my web browser, and what’s the place that most people go when they first launch their web browser? Facebook, right? So, I go to facebook.com, and as you see here’s my profile, you can see some advertisement here like Amazon UK. Oh wait, there’s a friend of mine, Moshiko Davidi, saying that he just found a new job at Fox News. Wow, that’s great! Let me check out what he’s going to be doing there. So I go and I click on the link. Oh, it says “Internet Explorer has encountered a problem” (see image above), so what do I do? “Send Error Report” or “Don’t Send” – not going to send it.

List of exposed files

List of exposed files

What you see here is, basically, an executable got dropped on my Desktop and the browser crashed. This should raise some red flags for somebody who is a little bit security-savvy, but for a lot of people that would not really raise any red flags at all, they would just move on and maybe re-launch the browser and try to move on with their day. But what we can see happened is that a ‘goldmine.rar’ file was created (see right-hand image) and sent up to the attacker, up to the attacker’s ftp. So, let me go and see what’s in here. I’m opening the archive, and there’s a directory structure here, and here’s all my files. In fact, there’s even more files here: IE passwords and Firefox passwords were exposed.

We’ve actually investigated some attacks that looked very much like this, this is how they actually started: dropped executables on people’s desktops – and off the attackers went. But that was pretty obvious, right? You saw the browser crash, you saw these files get dropped – pretty obvious. So, let’s look at this in another way.

Basically, what we’re going to see is that was an IE exploit that I just showed you; now I’m going show you what a Java exploit looks like. You’ve heard over the last couple of weeks people say: “There’re lots of problems with Java; uninstall Java from your system.” So, let me show you what that looks like when you’re attacked via Java. So, here I am again, I’m not going to explain everything going on, you just learned about it a few seconds ago.

Java exploit works more covertly

Java exploit works more covertly

So, here’s these windows again; now I’m going to launch my browser one more time. Launching IE here, going to Facebook again, and now I’m going to go visit the same site for Moshiko, but it’s going to do something else to me. You see a Java Flash for a second, nothing changed here, my browser is still intact (see left-hand image). In fact, I can go back to Facebook if I want – but same end result, ‘goldmine.rar’ was sent up to the attacker’s computer (image below).

Different exploit, same outcome

Different exploit, same outcome

Think about this type of situation when you’re thinking about active defense and when you’re trying to basically stop these type of attacks, really detect them doing real-time analysis of your environment. This attack took place in less than 10 seconds. So, doing real-time analysis, doing real-time defense in your environment is extremely important. We’ve seen these types of attacks happen; in fact it was a #4 attack method we had last year.
 

Read previous: The Lifecycle of Cybercrime 2: Dissecting the Breach Process

Read next: The Lifecycle of Cybercrime 4: Perspective of the Secret Service

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: