Interesting Web Social Engineering Security Hole

30 posts

Flag Post

Did you here a bunch of credit card numbers were stolen from a popular website? Here’s the list of credit card numbers revealed – just use ctrl+f and see if yours is on the list. Luckily mine wasn’t.


So, what is this? It’s a simple idea really – when a user presses ctrl+f on their keyboard, you use JS to intercept it and show a custom search box. Then, anything the user types in you can grab. Simple, but effective. so, just watch out for it in the future.

Read more here

Note: don’t actually input your credit card data.

 
Flag Post

And once again, human stupidity is your ally when trying to steal information.

 
Flag Post
Originally posted by Senekis93:

And once again, human stupidity is your ally when trying to steal information.

Yup. But the thing is, I could see myself falling for this one and I like to consider myself generally knowledgeable when it comes to safe web behaviors. I quickly tap ctrl+f, and type in my info to see if it was stolen without giving it a second thought. I doubt I’d even glance at the search box (which could be tailored to look and act exactly like your browser’s search box).

 
Flag Post

Could be tailored to do it, yes, but t’s unlikely; phishing sites generally look totally fake, but many still fall to their traps.

In this case, the following would be required for it to work:

1: A good reason for me to enable JS on that site. They could force people to enable JS to see the list, but that alone would be enough reason to leave the site.
2: Not having any kind of browser protection: Google tells you about phishing sites and even if you missclick it, Firefox will immediatly ask you if you’re sure about visiting that crap. I don’t know if other browsers do the same. Avast also includes a safe sites thing and I bet many other avs do.
3: Implying I actually enabled JS and visited the site despite all the warnings, I’d immediatly notice that instead of a bar with a width equal to that of the browser, with many options and showing at the bottom of the browser, I get a tiny bar at the top right.
4: Let’s pretend I totally ignore all of that and try to find my password on the list; the only way for them to actually steal it would be if I type the whole password, instead of just 3 – 4 particular characters as with any case sensitive search.

So, for this to work, you have to globally enable JS, use insecure browsers, ignore that the bar looks totally different from an actual one and go fill your full password. So yeah… If anyone falls to this, I’m gonna say he/she deserved it. >_>

 
Flag Post
Originally posted by Senekis93:

Could be tailored to do it, yes, but t’s unlikely; phishing sites generally look totally fake, but many still fall to their traps.

In this case, the following would be required for it to work:

1: A good reason for me to enable JS on that site. They could force people to enable JS to see the list, but that alone would be enough reason to leave the site.
2: Not having any kind of browser protection: Google tells you about phishing sites and even if you missclick it, Firefox will immediatly ask you if you’re sure about visiting that crap. I don’t know if other browsers do the same. Avast also includes a safe sites thing and I bet many other avs do.
3: Implying I actually enabled JS and visited the site despite all the warnings, I’d immediatly notice that instead of a bar with a width equal to that of the browser, with many options and showing at the bottom of the browser, I get a tiny bar at the top right.
4: Let’s pretend I totally ignore all of that and try to find my password on the list; the only way for them to actually steal it would be if I type the whole password, instead of just 3 – 4 particular characters as with any case sensitive search.

So, for this to work, you have to globally enable JS, use insecure browsers, ignore that the bar looks totally different from an actual one and go fill your full password. So yeah… If anyone falls to this, I’m gonna say he/she deserved it. >_>

1) Good point for you personally, but almost everyone else has JS on by default. To be fair, I think whitelisting sites is a good thing to do, I’m just too lazy to take the time.

2) True, but I can’t say that it’s super accurate or reliable.

3) Obviously is just up to the phisher. If they put enough time into it it could be almost an identical match anyway. You’re right that many phishing sites look fake, but no reason they would have to.

4) Not quite on this one – whatever you typed they could just add to the html so it always showed up.

Basically, if the scammer is smart, they could have quite a convincing system.

 
Flag Post

7/10.

I could see people (who aren’t Senekis) falling for that. Perhaps I would have, if I had a credit card/knew what the number acually was.

 
Flag Post

JavaScript isn’t secure? This is news to me!

(ok ok, not JavaScript’s problem, but whatever)

 
Flag Post
Originally posted by BobTheCoolGuy:

4) Not quite on this one – whatever you typed they could just add to the html so it always showed up.

Yes, but it would only show the part that you typed and never your actual password. Even if you reach this point, having the site adding the password you’re typing to its HTML just so you can “find” it should be enough to get away from there.

Basically, if the scammer is smart, they could have quite a convincing system.

Sure, but that’s the thing, they don’t have to be smart, since their target are the dumb ones: people who will not only read random emails, but follow links included in them, then ignore the totally stupid URL and enter all their bank account information even when the bank clearly told them that they would never, for any reason request that info via email.

So yeah, you can totally make a semi convincing site, but the biggest role in any scam is played by the victim.

 
Flag Post

this is just an example right?
Like that website is actually safe and not an actual phishing site?

I didn’t fall for it obviously, I just think that if it IS an actual phishing site, you should put a warning.

 
Flag Post

I just typed the last 4 digits.

 
Flag Post

Oh no! I sure hope it was just a harmless example because I searched for “123456789,” and the website said, “Got your CC.” The sad part is that it isn’t even my credit card number. Some poor soul somewhere in this world probably has a CC number just like that, and if the website is a genuine phishing site, that person is about to get the shock of their life. :P

 
Flag Post

Nah, I’m pretty sure the sites were just built super quickly by researchers or something. they were both linked to in the official article, so I’m taking it they’re fine.

 
Flag Post
Originally posted by Senekis93:

Could be tailored to do it, yes, but t’s unlikely; phishing sites generally look totally fake, but many still fall to their traps.

This used to be true, but no longer. Phishing has gotten a lot more sophisticated in recent years, and there are some very convincing phishing attempts out there. Besides, saying things like “you’d have to be an idiot to fall for something like that” is a two-pronged security hole:
1) It dismisses a very real security problem.
2) It discourages users who fell victim to a phishing attack from reporting it, for fear of being blamed or ridiculed.

 
Flag Post

Ace is completely right on this.

The only way to stop this shit is to spread awareness, and more importantly, inform the ignorant masses
what they can do to prevent it.

some steps i would recommend

1- use firefox, with noscript, and allow websites through
that answer to some form of better business bureau

2- dont use ctrl +f on your web browser.

 
Flag Post

I definitely agree this is something to be taken seriously, and that people like Senekis are in the extreme minority. However, I fail to see how it can be actually used in a real phishing attack. Generally, for both passwords and credit cards, more information is needed to be able to use them, such as the account the password is for, or the expiration date of the card. I can’t quite see how this strategy can extract more than a single piece of information…

 
Flag Post

The attitude that the victim of a crime “deserved” it somehow is pretty callous.

A few years ago someone I know took his dog for a walk in the evening, and was robbed at gunpoint. They took his iphone and some cash. Did he “deserve” to be robbed simply because he was a teenager out at night by himself? No, of course not.

On the same basis, someone who isn’t computer savvy or makes a mistake entering their info somewhere insecure isn’t at fault for the fact that there are unscrupulous people who’ll prey on them.

Incidentally, the reason most phishing attacks appear extremely unsophisticated is because the scammers are looking specifically for people who don’t know how to avoid the scams. Just like the thief decided it would be easier to rob a teen out by himself rather than a group of professional wrestlers, scammers target people who aren’t able to defend themselves so well.

Jonathan – one scenario would be to harvest usernames from a specific site, then generate a link which included the username and send it to you on the basis that “this site’s security was compromised, check your password hasn’t been leaked”. You click it, Ctrl F your password, and they now know your login.

 
Flag Post

Oh, yeah, it’s a serious issue and it’s sad, since many of the targets are already desperate for money before they get scammed, but even then, you can’t expect not to be ridiculed after your “but that Nigerian prince totally said he was gonna transfer over a thousand millions to my account. :sadface:” excuse.

Filling in all your information in “globalsuperbank-web.com/email.php” is the same; the difference is that most people have little to no education on these subjects ans I feel that’s what developers should be addressing: to inform the users instead of limiting functionalities… but that’s a different issue. I’ll make another thread for that.

 
Flag Post
Originally posted by Senekis93:


Filling in all your information in “globalsuperbank-web.com/email.php” is the same; the difference is that most people have little to no education on these subjects ans I feel that’s what developers should be addressing: to inform the users instead of limiting functionalities… but that’s a different issue. I’ll make another thread for that.

I think there’s plenty of education around – but the people who understand it are the smart technical users such as yourself. A 12 year old kid, or that kind auntie who sends care packages overseas all the time, or the autistic guy who’s just barely self sufficient take everything on trust and can’t easily be taught otherwise ,and those are the sort of peolpe that scammers go after.

 
Flag Post
Originally posted by FlashGrenade:

2- dont use ctrl +f on your web browser.

That’s kind of an extreme step. It’s hypothetically possible to intercept ctrl+f, so you shouldn’t use it at all? You know, it’s hypothetically possible for people to find a zero-day exploit and take over your web browser, so maybe you should give up web browsers.

Noscript and WOT would be more effective at keeping you safe, and using them wouldn’t force you to give up a useful feature.

 
Flag Post

AdBlock+, NoScript and Ghostery.
The only bad thing is that if you’re constantly loading new websites (as in websites you’ve never visited before), then you’ll need to whitelist stuff often, but I feel it’s a fair price to pay for a safe experience.

WOT is like the Avast thing I mentioned earlier. Looks nice.

 
Flag Post

There is also a small set of exceptional circumstances that make it much easier to scam people. They mostly involve generating intense emotions in the victim, be it fear (your credit card number / account information may be compromised), urgency (you must act now!) or pity (I am collecting money for the war orphans in Uganda take a look at these pictures). It’s been said that you can’t scam a honest man, but it’s false. You just can’t do it by appealing to their greed, but they have plenty of other triggers. There are all sorts of psychological tricks you can use to start a scam and to keep it going. And don’t forget the scammers have all the time in the world to perfect their approach, and only need to be successful once in a while. The victims must see the scam every time, or fall for it.

Additionally, we don’t spend all our time checking and re-checking information and sensory input for validity. Once we accept something as true, usually after passing a split-second judgment on it, we no longer question it. That’s how people end up inputing their credit card info in a scam site that looks similar but not quite identical to that of their bank, or mistakenly picking the no-brand crackers on the store shelf. I once took someone else’s luggage at the airport because they had the same suitcase and permanent tag as I did. What are the odds, right? My first thought when opening said luggage was wonder at how someone else’s clothes had ended up in my luggage. The confusion only lasted a second, but it was enough to make me realize how strong the assumption had been that the suitcase was mine.

 
Flag Post
Originally posted by FlashGrenade:

Ace is completely right on this.

The only way to stop this shit is to spread awareness, and more importantly, inform the ignorant masses

I’m going out on a limb and saying the majority of people that fall for these scams are previous generations that have absolutely no interest in learning how to properly use a computer.
My aunts father for example will still try to click on those ads that say “you won a million dollars! click to claim it!” even though hes been told once for every supposed dollar he “won” that its a scam, why and how.
I was told once when I was 10 why you don’t click on that shit… And dealt with the semi-hilarious computer virus I got after my friend fell for an ad one evening.
My grandparents too, my grandpa doesn’t even understand the concept of double-clicking.
Unfortunitely they hear about hackers and computer viruses all the time on the news and all it does is make them more afraid of computers and the internet. Propagating them to become even more discouraged and detached from the notion of learning what you can, can’t, should, and shouldn’t do.
Not that there aren’t those in the older generations that don’t get along famously with this stuff….

The credit card companies themselves warn about this type of thing. The target audience is probably those older generations (or anyone else with a similar state of mind), we can warn them, warn those that are close to us, but besides that theres not much we can do.
So I believe spreading this is pointless. Anyone with common sense would understand its a scam. Who in the nine worlds of yggdrasil would own a credit card and fall for this none sense?

Regardlessly, thank you for sharing bob.

 
Flag Post

That is quite devious, and a lot of savvy people could fall for it if they were linked to such a site when they’re not really paying attention.

Running with JS turned off is pretty much turning the Internet off these days, with so much live content and AJAX (for example you can’t use this forum without it).

 
Flag Post
Originally posted by BobJanova:

That is quite devious, and a lot of savvy people could fall for it if they were linked to such a site when they’re not really paying attention.

Running with JS turned off is pretty much turning the Internet off these days, with so much live content and AJAX (for example you can’t use this forum without it).

Yeah. :\
Turning off scripts in general and enabling them on a per-site basis is more hassle than just living with intrusive and malicious scripts (they’re easier to defend against by being aware of what you’re doing).

 
Flag Post
Originally posted by qwerber:

I just typed the last 4 digits.

This. If I was going to check to see if my personal information had somehow been compromised, I’d only type in a fraction of it. Of course, this is mostly due to laziness and the fact that I use addons like noscript—I don’t trust the internet. Clever trap, I have to say!

Enabling scripts on a per-site basis really isn’t that bad.