A vast majority of research focuses on
automated and/or botnet exploits, which makes sense when considering the
number of victims affected. However, a research team from Google and
the University of California, San Diego chose a different path, looking
at "manual account hacking." Exploits that are rare -- less than nine
incidents for every one million people who use Google daily. "However,
the damage manual hijackers incur is far more severe and distressing to
users and can result in significant financial loss," the researchers
mention in their paper Handcrafted fraud and extortion: Manual account hijacking in the wild. "These needle-in-a-haystack attacks are very challenging and represent an ongoing threat to internet users.
Types of account hijacking
To start, there are two types of account hijacks: ●
Automated account hijacking: Attacks that try to compromise user
accounts via botnets or spam networks. This attack uses automated tools,
attempting to maximize the attacker's ROI by scamming a small amount of
money from thousands of victims. ● Manual account hijacking: The
bad guys hijack accounts looking for ways to steal money, ransom
applications or data, leverage contact information for future attacks,
or use sensitive personal data against the victim. To explain the
difference between automated exploits and manual attacks, the paper
mentions, "Manual hijackers spend significant non-automated effort on
profiling victims and maximizing the profit -- or damage -- they can
extract from a single credential."
Image: Google
The
graph to the right depicts the relationship between number of accounts
hijacked and the "depth of exploitation." It seems we can be thankful
the more prevalent automated exploits are less exploitative.
Steal email credentials and profile the victim
The
first step is stealing a victim's account login information. The paper
mentions the most sought-after account is email followed by online
financial accounts. For this discussion, the focus will be limited to
email-account hijacking. Once attackers have the login
information, they decide quickly whether the account is worth further
effort. The paper explains, "If the brief account value exploration
yields promising results, the hijackers spend an additional 15 to 20
minutes per account sifting through emails, and finding ways to monetize
the account." The hijackers are hoping to find emails holding
financial or personal data they can use on the current victim or improve
their chances of exploiting the victim's contacts by making the scam
email supposedly from the victim seem more realistic. The
profiling portion of the attack was of special interest to the
researchers. They mention, "This systematic assessment phase and the
fact that certain accounts are not exploited suggest that manual
hijackers are 'professional' and follow a well-established playbook
designed to maximize profits." The researchers offer more evidence that well-organized groups are behind manual account hijacks: ●
The individuals seemed to work according to a tight daily schedule.
They started around the same time every day, and had a synchronized,
one-hour lunch break. They were inactive over the weekends. ● All
individuals followed the same daily time table, defining when to
process the gathered password lists, and how to divide time between
ongoing scams and new victims. ● They were operating from
different IPs, on different victims, and in parallel with each other,
but the tools and utilities they used were the same. They also shared
certain resources such as phone numbers. More validation for experts who contend online-crime syndicates are run with business-like precision.
Exploiting the victim's contacts
Most
individuals, at one time or another, have received an email where
someone is in trouble and needs money. Almost at once the scam is
dismissed because the email -- an automated account hijacking attempt --
makes little sense. However, manual account hijacks are different.
Being non-automated, attackers can inject material to personalizing the
scam email. The research team mentions there is a distinct pattern to most of the scam emails. They all tend to have: ● A story with credible details to limit the victim suspicion. ● Words or phrases that evoke sympathy and aim to persuade. ●
An appearance of limited financial risk for the plea recipient as
financial requests are requests for a loan with concrete promises of
speedy repayment. ● Language that discourages the plea recipient
from trying to verify the story by contacting the victim through another
means of communication, often through claims that the victim's phone
was stolen. ● An untraceable, fast, and hard-to-revoke yet safe-looking money transfer mechanism.
Defense strategies
The
research paper then describes what email providers can do to prevent
manual account hacking. Sadly, there are precious few for-sure user
defenses other than second-factor authentication -- if it is available
use it. Two-factor authentication will thwart the bad guys.
Before starting, I would like to give a small preview about the
topic. This article focuses on the world famous hacker group, known as
“Anonymous.” I will be describing their attacking methodologies and way
of planning, but we will be focusing more about the weapons or tools
they use. The word anonymous simply means having no name or identity.
The group Anonymous is a faction of hackers or hacktivists. They have
their own website and IRC (Internet Relay Chat) channel where they hold
lax online gatherings that focuses on brain storming. Rather than giving
orders, the group uses a voting system that chooses the best way in
handling any situation. This group is famous for their hacks, one of
which is Distributed Denial of Service (DDOS) attacks on government
websites, well-reputed corporate websites, and religious websites. Their
famous slogan is:
We are Anonymous
We are Legion
We do not forgive
We do not forget
Expect us
This is the signature of Anonymous that can be seen in their every attack.
Skills of Anonymous hackers:
They are people with excellent hacking skills, but they use
conventional black hat techniques and methods. In fact, their hacking
techniques are familiar with other hackers. For example, they also use
the same tools used by other hackers, like havij and sqlmap in
performing an SQL injection attack on any website. In other words, they
are able to take advantage of common web application vulnerabilities
which can be found in many websites.
The Anonymous hackers are comprised of two types of volunteers:
Skilled hackers –This group consists of a few
skilled members that have expertise in programming and networking. With
their display of hacking skills, one can surmise that they have a
genuine hacking experience and are also quite savvy.
Laypeople – This group can be quite large,
ranging from a few dozen to thousands of volunteers from all over the
world. Directed by the skilled hackers, their primarily role is to
conduct DDoS attacks by either downloading and using special software or
visiting websites in order to flood victims with excessive traffic. The
technical skills required in this group ranges from very low to modest.
There was about a 10:1 ratio of laypeople to skilled hackers.
The Anonymous hackers’ first objective is to steal data from a
website and server. If it fails, that is the time they attempt a DDOS
attack. They are a very well-managed group. Before selecting a target,
they conduct a voting poll in the internet. After that, they name their
operation.
They already organized many operations that became very famous,
one of which is “Pay Back” which became famous all over the world back
in 2010. In operation Pay Back, they stopped the services of well known
e-commerce business solutions, such as PayPal, Visa, MasterCard, and
Sony by performing D-DOS attacks on them. There are many other
operations which were conducted by this group such as Operation
leakspin, Operation Israel, Operation Facebook, Operation Gaza, etc.
In the figure below, we can see an example of their voting system for an operation.
After the voting poll, they decide what the next operation is.
In the figure below, we have shown a good example of their voting response.
After finalizing voting for the target, the operation process proceeds.
Their hacking operation consists of three different phases.
1. Recruiting and communication phase
2. Reconnaissance and application attack phase
3. DDOS attack phase
1. Recruiting and communication phase: In this
phase, Anonymous uses social media in recruiting members and promoting
campaigns. In particular, they use popular social networking sites like
Twitter, Facebook, and YouTube to suggest and justify an attack. This is
really the essence of all hacktivism campaigns. Messages were spread
via social media such as Facebook, Twitter and YouTube.
The content during this phase:
• Explains their political agenda for the campaign. In this
case, a website was created that rationalized the attack. Twitter and
Facebook were used to bring attention to the website and its arguments.
In addition, YouTube videos further rationalizes the attack by
denigrating the target and exposing perceived transgressions.
• Declared the dates and targets for protest in order to recruit protesters and hackers.
2. Reconnaissance and application attack phase: In
this phase, the attackers have a sound knowledge on attacking tools.
They use anonymity services to hide their identity and maintain a low
profile. Their attack traffic levels during this phase were relatively
low, especially when compared to the attack phase. However, the
reconnaissance traffic was relatively high compared to ordinary days. An
attacker tries to penetrate the web application by using famous tools
like Havij, Acunetix Web vulnerability scanner, etc.
Example of tools used is stated below:
Havij- Havij is an automated SQL Injection
tool that helps penetration testers to find and exploit SQL Injection
vulnerabilities on a web page. By using this software, a user can
perform back-end database fingerprint, retrieve DBMS users and password
hashes, dump tables and columns, fetch data from the database, running
SQL statements and even access the underlying file system and executing
commands on the operating system.
Acunetix – The Acunetix Web Vulnerability
Scanner is an automated black box scanner that checks websites and Web
applications for vulnerabilities such as SQL injection, Cross Site
scripting, and other vulnerabilities.
Once the attacker successfully exploits any of these
vulnerabilities, Anonymous will deface the website by replacing their
website’s home page with their defaced page that looks like the figure
below, with their slogan and a message to the world.
3. DDOS attack phase: DDOS attack it is the
deadliest attack they use and is performed by their skilled hackers. If
they fail to penetrate the web application then they go for this attack.
They are also famous for this attack because whenever they perform this
attack, they always succeed on their operation. But before conducting a
DDOS attack, the anonymous group provides a list of tools in different
social media like in an IRC channel, Facebook, pastebin, etc.
Some of the famous and powerful tools used by the Anonymous group are H.O.I.C, Pyloris, Qslowloris, Torshammer, etc.
I am going to show you some of the usage of the tools.
H.O.I.C- Also known as High Orbit Ion Cannon.
It is a simple script launching HTTP POST and GET requests at the target
server. It is a cross platform tool easily found for Windows, MAC and
Linux platforms. As we can see in below figure Click on plus icon which
opens a new small windows for adding targets.
Input the target address in URL box then set the power level to Low, Medium and High as your requirement.
In the figure above, we can see the third option was left blank. HOIC’s boosters are used to tailor the HTTP requests sent by HOIC
to the target for a specific type of attack. “HOIC is pretty useless,”
the documentation file that comes with the code says, “unless it is used
in combination with ‘Boosters.’” And that’s putting it mildly—the
attack code is generated based completely on what’s in the booster file.
When an attack is launched, HOIC compiles the booster to create the
HTTP headers to be sent, and sets the mode of the attack.
After selecting the booster, it is ready for the attack, as we can see in the figure below.
Now just click on “FIRE TEH LAZER” and wait for few minutes.
Now when you will open your target web page, you will see a
message like the figure above. If you see the message “Resource Limit Is
Reached”, then it means the game is over.
PyLoris – It is a python based tool that works
simultaneously on Linux and Windows platform. PyLoris also includes a
feature called TOR Switcher, which allows attacks to be carried out over
the anonymized Tor Network and switch between Tor “identities,”
changing the apparent location the attack is coming from at user-defined
intervals. Before using this tool, it is required that TOR browser and
Python is installed on the system. Now we can start the tutorial.
First open Tor. In the Vidalia control panel, go to settings,
then “Advanced”, and from the drop down menu, choose password. Finally,
deselect Randomly Generate.
Next, go to Pyloris folder and open the file Tor_Switcher.py
and input the password you just set in Tor. You can lower the rate of
interval if you want. If you are getting rejected connections, try
lowering or raising the rate of interval.
Leave Tor_Switcher.py running and open Pyloris.py. Configure
it, by inputting your target website in the host under the general’s
menu. The port is usually 80. You can raise the limits depending on how
fast your computer is. Once it’s all set up, fire your laser, and click
on the launch button.
After clicking the Launch button, a new window will pop up and
will show the status of the attack. Please refer to the image below.
It takes some time before all the target’s sockets are filled,
usually around 300 or so. Just wait and soon you will see that your
target is down.
U.S. federal authorities have indicted five men — four Russians and a
Ukrainian – for allegedly perpetrating many of the biggest cybercrimes
of the past decade, including the theft of more than 160 million credit
card numbers from major U.S. retailers, banks and card processors.
The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.
Federal prosecutors in New York today called the case the largest
hacking scheme ever prosecuted in the U.S. Justice Department officials
said the men were part of a gang run by Albert “Soupnazi” Gonzalez,
a hacker arrested in 2008 who is currently serving a 20-year-prison
sentence for his role in many of the breaches, including the theft of
some 90 million credit cards from retailer TJX.
One of the accused, 27-year-0ld Dmitriy Smilianets, is in U.S. custody. Vladimir Drinkman,
32 of Syktyvkar, Russia, is awaiting extradition to the United States.
Three others named in the indictments remain at large, including Aleksandr Kalinin, 26 of St. Petersburg; 32-year-old Roman Kotov from Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.
According to the government’s indictment, other high-profile heists tied to this gang include compromises at: Hannaford Brothers Co: 2007, 4.2 million card numbers Carrefour S.A.: 2007, 2 million card numbers Commidea Ltd.: 2008, 30 million card numbers Euronet: 2010, 2 million card numbers Visa, Inc.: 2011, 800,000 card numbers Discover Financial Services: 500,000 Diners card numbers
In addition, the group is being blamed for breaking into and planting malware on the networks of NASDAQ, 7-Eleven, JetBlue,JCPenny, Wet Seal, Dexia, Dow Jones, and Ingenicard.
The hackers broke into their targets using SQL injection attacks,
which take advantage of weak server configurations to inject malicious
code into the database behind the public-facing Web server. Once inside,
the attackers can upload software and siphon data.
The government’s indictment alleges that the thieves were at times
overwhelmed by the sheer amount of data yielded by their SQL attacks.
On Aug. 12, 2007, Kalinin allegedly sent Gonzalez an instant message
that he’d just gained access to 30 SQL servers on NASDAQ’s network, but
hadn’t yet cracked the administrator passwords that secured the data
inside. “These [databases] are hell big and I think most of info is
trading histories.” On Jan. 9, 2008, after Gonzalez offered to help
attack the trading floor’s computer systems, Kalinin allegedly messaged
back, “NASDAQ is owned.”
Court documents feature an alleged conversation between Kalinin and
Gonzalez from March 18, 2008, months after the Hannaford Bros. attack:
Kalinin: haha they had hannaford issue on tv news?
Gonzalez: not here
Gonzalez: I have triggers set on google news for things like “data
breach” “credit card fraud” “debit card fraud” “atm fraud” “hackers”
Gonzalez: I get emailed news articles immediately when they come out,
you should do the same, it’s how I find out when my hacks are found
Just a few weeks later, news of a massive credit card breach at Hannaford started trickling out:
Gonzalez: hannaford lasted 3 months of sales before it
was on news, im trying to figure out how much time its going to be alive
for
Gonzalez: hannaford will spend millions to upgrade their security!! lol
Kalinin: haha
Kalinin: they would better pay us to not hack them again
According to prosecutors, the other members of the gang helped
harvest data from the compromised systems, and managed the bulletproof
hosting services from which the group launched its SQL attacks [the
government alleges that Rytikov, for example, was none other than
"Abdullah," a well-known BP hosting provider]. The men allegedly sold
the credit card data to third parties who routinely purchased them at
prices between $10 and $50 apiece. The buyers were given PIN codes and
magnetic stripe data that allowed them to create cloned cards for use at
retailers and ATMs around the world.
Before starting, I would like to give a small preview about the
topic. This article focuses on the world famous hacker group, known as
“Anonymous.” I will be describing their attacking methodologies and way
of planning, but we will be focusing more about the weapons or tools
they use. The word anonymous simply means having no name or identity.
The group Anonymous is a faction of hackers or hacktivists. They have
their own website and IRC (Internet Relay Chat) channel where they hold
lax online gatherings that focuses on brain storming. Rather than giving
orders, the group uses a voting system that chooses the best way in
handling any situation. This group is famous for their hacks, one of
which is Distributed Denial of Service (DDOS) attacks on government
websites, well-reputed corporate websites, and religious websites. Their
famous slogan is:
Posts
