A vast majority of research focuses on
automated and/or botnet exploits, which makes sense when considering the
number of victims affected. However, a research team from Google and
the University of California, San Diego chose a different path, looking
at "manual account hacking." Exploits that are rare -- less than nine
incidents for every one million people who use Google daily. "However,
the damage manual hijackers incur is far more severe and distressing to
users and can result in significant financial loss," the researchers
mention in their paper Handcrafted fraud and extortion: Manual account hijacking in the wild. "These needle-in-a-haystack attacks are very challenging and represent an ongoing threat to internet users.
Types of account hijacking
To start, there are two types of account hijacks: ●
Automated account hijacking: Attacks that try to compromise user
accounts via botnets or spam networks. This attack uses automated tools,
attempting to maximize the attacker's ROI by scamming a small amount of
money from thousands of victims. ● Manual account hijacking: The
bad guys hijack accounts looking for ways to steal money, ransom
applications or data, leverage contact information for future attacks,
or use sensitive personal data against the victim. To explain the
difference between automated exploits and manual attacks, the paper
mentions, "Manual hijackers spend significant non-automated effort on
profiling victims and maximizing the profit -- or damage -- they can
extract from a single credential."
Image: Google
The
graph to the right depicts the relationship between number of accounts
hijacked and the "depth of exploitation." It seems we can be thankful
the more prevalent automated exploits are less exploitative.
Steal email credentials and profile the victim
The
first step is stealing a victim's account login information. The paper
mentions the most sought-after account is email followed by online
financial accounts. For this discussion, the focus will be limited to
email-account hijacking. Once attackers have the login
information, they decide quickly whether the account is worth further
effort. The paper explains, "If the brief account value exploration
yields promising results, the hijackers spend an additional 15 to 20
minutes per account sifting through emails, and finding ways to monetize
the account." The hijackers are hoping to find emails holding
financial or personal data they can use on the current victim or improve
their chances of exploiting the victim's contacts by making the scam
email supposedly from the victim seem more realistic. The
profiling portion of the attack was of special interest to the
researchers. They mention, "This systematic assessment phase and the
fact that certain accounts are not exploited suggest that manual
hijackers are 'professional' and follow a well-established playbook
designed to maximize profits." The researchers offer more evidence that well-organized groups are behind manual account hijacks: ●
The individuals seemed to work according to a tight daily schedule.
They started around the same time every day, and had a synchronized,
one-hour lunch break. They were inactive over the weekends. ● All
individuals followed the same daily time table, defining when to
process the gathered password lists, and how to divide time between
ongoing scams and new victims. ● They were operating from
different IPs, on different victims, and in parallel with each other,
but the tools and utilities they used were the same. They also shared
certain resources such as phone numbers. More validation for experts who contend online-crime syndicates are run with business-like precision.
Exploiting the victim's contacts
Most
individuals, at one time or another, have received an email where
someone is in trouble and needs money. Almost at once the scam is
dismissed because the email -- an automated account hijacking attempt --
makes little sense. However, manual account hijacks are different.
Being non-automated, attackers can inject material to personalizing the
scam email. The research team mentions there is a distinct pattern to most of the scam emails. They all tend to have: ● A story with credible details to limit the victim suspicion. ● Words or phrases that evoke sympathy and aim to persuade. ●
An appearance of limited financial risk for the plea recipient as
financial requests are requests for a loan with concrete promises of
speedy repayment. ● Language that discourages the plea recipient
from trying to verify the story by contacting the victim through another
means of communication, often through claims that the victim's phone
was stolen. ● An untraceable, fast, and hard-to-revoke yet safe-looking money transfer mechanism.
Defense strategies
The
research paper then describes what email providers can do to prevent
manual account hacking. Sadly, there are precious few for-sure user
defenses other than second-factor authentication -- if it is available
use it. Two-factor authentication will thwart the bad guys.
This tutorial describes the basics of using Kali linux tool chntpw, For those not familiar with it, chntpw is a Kali Linux tool that can be
used to edit the windows registry, reset a users password, and promote a
user to administrator, as well as several other useful options. Using
chntpw is a great way to reset a Windows Password or otherwise gain access to a Windows machine when you don’t know what the password it. Using chntpw is pretty straightforward, especially if you use interactive mode. Mounting the Kali Linux live CD: First, boot the Kali linux CD, or other Linux Live CD.
1. Mount
the windows partition. If you don’t know what device it is on, you can
use the cfdisk command and it will tell you the device. The device
should look something like “/dev/sda1.” Mount the partition using the ntfs-3g or mount command: ntfs-3g /dev/sda1 /mnt/windows
OR:mount -t ntfs-3g /dev/sda1 /mnt/windows Locate the Windows SAM File 2. Now, to make it a little easier, go ahead and switch to the location of the Windows Sam file and other hive files. cd /mnt/WINDOWS/system32/config *Note that in Windows Vista or Windows 7, the physical registry location is in "System32," with a capital "S" To blank out or change the Windows password: 3. Type
chntpw -h to familiarize yourself with the different options and usage
of chntpw. If you like, you can actually use chntpw by giving it the
appropriate option, but I like to use interactive mode, which makes it a
little easier. In addition to any options, you also have to give chntpw the location of the windows sam
file, which stores the passwords, or the registry hives that you want
to edit, which should all be in the config folder(Instead of WINDOWS, NT
uses WINNT.) 4. Use
the -i option to start chntpw in interactive mode and make sure to
specify the name of the Windows sam file, as well as any other registry
hive files you want to edit. chntpw -i sam Press “1” to edit the user password and then type the name of the user that you wish to edit and press enter. You will now be given the option to blank out the password by pressing “1”, as well as several other ways to change the user, such as upgrading their account to an administrator. Press “!” to exit the Edit User Screen and then press “q” to exit chntpw and you will be prompted to save any changes.
Posts
