Instead of breaking into the server, why not just take over the client? In this video, you’ll learn a number of techniques that attackers can use to hijack your computer or mobile device.
<< Previous Video: Replay Attacks Next: Driver Manipulation >>
There are a number of malicious reasons why a bad guy would want to take legitimate traffic that would normally be going to your site and hijack it for their own use. This is URL hijacking. And they’re trying to take advantage of a number of situations so that they can make additional money for themselves.
One way to make money from URL hijacking is to take a badly spelled domain name and sell it to the owner of the correctly spelled domain name. If this is a commonly misspelled term, it might be useful to get it away from the bad guys and back to the legitimate website. Some bad guys will redirect people on this misspelling not to the legitimate website, or even their own website, but they’ll redirect it to your competitor’s website. There’s obviously a number of legal issues if the competitor is doing this themselves, but it’s another way that the traffic that should be going to your site ends up going somewhere completely different.
Sometimes, the bad guys will use this as a phishing site. They’ll take advantage of a misspelling, send people to a page that looks exactly like your website, but in reality it’s owned and controlled by the attackers. This might also be a good opportunity to put some malware on the end user’s workstations. People that originally thought they were going to your site instead get infected with the bad guy’s malware.
There’s many different ways to redirect users away from your site and hijack them over to the bad guy’s URL. One is to use a misspelling of your domain name. This is typosquatting, where they will use and own that misspelling to get their own amount of traffic to their site. Or, they might register the brand name of one of your products that you didn’t register.
It’s not the name of your domain, it’s not even the name of your company, but it’s the brand name that’s in people’s minds. And people tend to type in the brand dot com. They may end up redirected over to the attacker’s site. Or maybe it’s just a simple misspelling. Instead of professormesser.com, it’s professermesser.com, with an e instead of an o. That one single change | may be enough to get some additional traffic sent over to the attacker’s site.
Another variant of the misspelling is one where somebody is simply making a typing error. They know how to spell it, but they left out an S in Professor Messer, and now they end up redirected to the hijacker’s site. Or maybe it’s a different phrase completely. It’s Professor Messer all spelled properly, but with an s on the end– I thought it was Professor Messers– and then sends people off to the hijacked site. Of course, it could even be a different top-level domain. Instead of people going to professormesser.com, the hijackers will redirect everybody who types in professormesser.org.
Another method the bad guys are using to trick the end users is clickjacking. That’s when you’re clicking on a button on the screen, but in reality you’re clicking on something completely different. There might be, for instance, a normal webpage underneath, and there’s an invisible layer on the top. And when you think you’re pressing one button, in reality you’re pressing something completely different.
Here is how this might work. Let’s say we create a webpage that has this on it. It’s Bank of the States. Do you want to transfer $1,000 to Professor Messer? And you have two options. One is to cancel the transfer, and the other is to complete the transfer. So what we want to do is trick people into clicking the Complete Transfer button.
So we’re going to make that layer invisible. I left it a little bit visible on the screen so we can really see what’s going on here. The end user, though, would not see anything. This would be completely invisible to them. And instead, we’ll put a picture of a puppy. And we’ll put a message on the front that says, Click here for more puppies. This just happens to be underneath the actual button that says transfer $1,000 to Professor Messer. And just because somebody likes puppies, they’re now out $1,000 that has now been sent to professormesser.com.
This is a technique that has been commonly used on mobile devices, since we’re always clicking and the screens themselves can be manipulated. This information comes from a May 2017 report from the Georgia Institute of Technology, where they found a utility called Cloak & Dagger– this is on the Android operating system up to version 7.1.2– where people were able to invisibly draw information on the screen and then monitor keystrokes and record the users as they were typing on these devices. By putting this invisible layer on the front of your mobile device, the bad guys were effectively able to record and then use that information later on.
Another form of account hijacking can be done through the use of cookies. Cookies are small pieces of information, and they’re stored on your computer by the browser. When you visit a site, a cookie is created and stored on the background of your browser. It’s not something you see, but it’s something that the websites you visit can keep track of where you are and what you’re doing, or keep you logged in without you having to re-authenticate every time you visited that website. These generally aren’t a security risk, but if somebody does gain access to that session information, they could use it for no good.
Cookies also tend to hold a lot of personal information. For example, you can track what sites someone goes to based on what cookies they have on their computer. And if you’re interested in someone hijacking someone’s account information, you can do this by getting the session ID information that’s often saved in these cookies. This session hijacking, or sidejacking, is a technique or someone can gain access to a service without actually authenticating to that service.
Now, normally, this is done by someone authenticating with a normal username and password. And what’s responded back from the web server is a session ID. This means that every time this victim wants to access the web server, they can send that request along with the session ID, and the web server is going to assume that you’ve already properly authenticated. Well, the bad guys are simply going to wait for that session ID to be sent, and they’re going to capture a copy of it themselves. And as long as they can have that session ID, they can also send requests to the web server with that same session ID. And the web server is going to respond as if you had previously authenticated. This means the attacker is going to have the same access to that account as the original victim does.
The attackers are going to gather this session information using Wireshark to capture packets. Maybe they’re using Kismet to capture it across the air, especially on wireless networks. They may be using an exploit like cross-site scripting to have the session ID simply sent to them automatically. And once they have that information, they’re going to modify the headers in the requests that they’re making back to this server. They might use software such as Tamper or Scapy to make that happen, or they might be modifying the cookies themselves on their local machine using a number of extensions that you can build right into the browser.
One of the best ways to prevent this session hijacking from occurring is to encrypt everything end to end. That means somebody could capture the packets that are going back and forth between you and the server, but all of the information in there is encrypted, and nobody has any idea what the session ID really is. Encrypting everything end-to-end does put an additional load on the server, but you’ll find that there are a number of extensions that you can put in your browser that will force your browser to use HTTPS whenever you’re communicating to certain sites, and there are a number of websites on the internet, including professormesser.com, that have opted to have every page set up as an encrypted webpage. That way, there is no opportunity for someone to be able to see anything in the clear, because every single session to the server is encrypted.
If you’re communicating to a server that doesn’t support end-to-end encryption, maybe you can set up a VPN connection so at least your local communication is one that is completely encrypted. That way, if you’re in a coffee shop on the wireless network, no one in that coffee shop would be able to see anything you’re sending to that server. Until Facebook went to end-to-end HTTPS encryption, people were able to use session ID monitors like Blacksheep to be able to see people communicating to Facebook.
And now that utility is no longer valid because all of the traffic to Facebook is encrypted. But you may still find that there are certain applications where there are session ID monitors available so that somebody could sit on a wireless network and begin gathering those session IDs. You want to be very careful in those particular situations to prevent anyone from gathering any of those session IDs and hijacking your sessions.