Thoughts on Threats #2 – Web-based Attacks Hidden in Plain Sight

Thoughts on Threats #2 – Web-based Attacks Hidden in Plain Sight

Back in August, we kicked off the Thoughts on Threats series with a look at the top-rated threat in ENISA’s Threat Landscape study from 2015. In this installment, we’re heading down the list to the number two spot for a closer look at one of the web’s most prolific predators.

First though, and breaking tradition with threat reporting on the web’s tendency for graphic representation of online threats via a picture of a teen in a hoodie slumped over a laptop keyboard with scrolling binary in the background, we’re going to look at the snow leopard.

Don’t let their soft, cuddly exterior fool you – this ain’t no kitty cat. Snow leopards are highly specialised hunting machines. Everything about them is optimised to track down and hunt prey undetected in their habitat, which is generally the snowy throws of mountains in the north of Asia. With their muscular frame and huge, piercing teeth they can take down animals up to four times their weight. But even with all its instincts, its excellent sense of smell and even those mighty fangs, this could all be for nothing if the big cat’s prey spots it before it has a chance to strike.

A snow leopard’s camouflage is arguably its greatest asset in hunting prey, and it’s this ability to hide in plain sight that makes it so successful in its natural habitat – something it shares with the online threat of web-based attacks.

Think about how much time you spend on the web in a typical week – browsing at home, for work or catching up on the latest gossip on social media on your morning commute. Think about how many links you click, how many sites you “pass through” without having been on them before or registering the information you sent or received whilst browsing them.

The blizzard of online background noise we’re all subjected to on a daily basis could be providing the perfect veil for all manner of web-based attacks, just waiting for the opportune moment to strike their unsuspecting prey.

Prepared to pounce

You might think a web-based attack requires a user to follow some specific direction in order to actively download malicious software, thereby compromising their information security. The snow leopard won’t wait for an unsuspecting goat to stroll up to it and lay its neck neatly between the big cat’s teeth; neither will drive-by downloads rely on unsuspecting users downloading an attachment from an email in order to get to work.

Hackers can exploit various vulnerabilities in websites and browsers which allow them to alter website content. This type of attack can – but doesn’t have to – change what web users see. The website can appear completely normal, but through methods like SQL injection, malicious payloads – containing anything from small downloader apps to very advanced and targeted malware – can automatically start downloading the moment a victim visits a particular web page.

Once the unsuspecting user has clicked on the compromised site containing an exploit kit – giving hackers the entry point they’ve been seeking – malicious code is delivered to their device. This can then scan various pieces of software on the device or if it’s connected to a corporate network – legacy systems, internal applications that use plain text passwords, and some old out of date Operating Systems to hide in and exfiltrate data through.

Once suitable vulnerabilities and attack staging system are identified, the malware contacts its command and control servers to install a payload of malware on the user’s device. Following this, the malware can either lay dormant until a predetermined time or execute. Then it can begin transmitting data from your computer or network back to its master’s servers, encrypting files in preparation for a ransomware attack, or it can create a backdoor to the network which the hacker can exploit at a later date.

This attack can lead to long-term effects, as victims may not even know they’ve been targeted until long after the initial strike.

Waiting by the watering hole

An opportunistic hunter like the snow leopard will adjust its attack patterns in order to increase its chances of a tasty feed at the end of a long hunt. The big cat has been known to attack livestock, targeting farms where large amounts of sheep and goats return to regularly to be fed.

Using social engineering, a hacker can identify frequently-visited websites their victims are likely to return to, which they can exploit in order to ensure their plan’s success. These so-called watering hole attacks involve an attacker getting to know their target’s browsing habits.

For instance, if a hacker wanted to compromise the security of a large bank to gain access to sensitive customer data, they may single out a member of staff at the bank and monitor their browsing habits to find out what websites they visit regularly. If the hacker finds their victim frequently checks the same news sites, they may then look for vulnerabilities in those sites in which they can implant their attack.

This is a long game for the attacker, more likely to be used as part of an attack attempt on a person who controls high-value assets. Tactics like these may also be deployed by the hacker to infiltrate an organisation’s networks by compromising the computer of an individual working at the company.

Once the target individual and watering hole site have been identified by the hacker, another tactic they can use to play out their wicked plan is the clickjacking attack. This involves some fiddly, but fairly simple user interface redressing which usually takes the form of writing code to load a hidden web page on top of the page which is displayed to the user.

The easiest way to grasp this is by imagining the pages as layers; the bottom layer is the page the user sees and is trying to access – for the sake of this example we’ll assume it’s an online banking login page – and the top layer, which is transparent, is the page devised by the hacker. Despite being invisible, the hacker has cleverly positioned their own data entry fields on top of the fields where users can enter their confidential banking log in details, and atop the button for “Login” is an invisible button which, when clicked, transfers data entered to the hacker, giving them access to your credentials.

Hence the name clickjacking – users are tricked into inadvertently clicking malicious links with potentially disastrous consequences.

The Leopard can’t change its spots, but the link can change whatever it wants

These predatory attacks which lie in wait for unsuspecting users to stumble upon them all rely on malicious URLs, the number of which is growing by the day. ENISA’s report notes that Computer Emergency Response Teams (CERTs) detect around 58,000 bad URLs every day, and these are frequently changed or updated in order to evade discovery, making the task of blacklisting them as they appear a huge challenge.

Most browsers have settings which can be adjusted to prevent unwanted framing of websites, while keeping an eye on the spelling or composition of URLs which look as though they lead to genuine websites can keep you out the attacker’s claws.

Keeping software up-to-date with the latest patches can close known vulnerabilities, blocking access for attackers to inject their malicious code. Keeping an eye on commonly used browsers and other software for anomalies in its behaviour can help you catch and act quickly if your device has been compromised.

Staying vigilant online prevents you from becoming the prey – even when you’re taking a bit of a break. Recently web-based attacks have found success by propagating through social media. Twitter had to take action back in 2009 when a clickjacking attack which exploited users curiosity spread rapidly across the site, while “like-farming” through phony competitions is a tactic commonly seen over on Facebook, which can be used to harvest details or spread malicious URLs.

But humans are notoriously prone to errors – clicking links, overlooking misspelled URLs and failing to realise when they’ve inadvertently sent important credentials to third parties with their own ulterior motives. A Security Incident and Event Monitoring (SIEM) system can provide vigilance across networks and devices, flagging any suspicious activity and enabling security teams to cut through the frenzy of traffic in order to identify and deal with threats before too much damage is done.

Understanding the methods employed by this popular threat will help you keep your own and your organisation’s information safe from the hands of the hackers. Commissum offer a wide range of services to help you improve your security profile holistically – from security managed services to consulting services to security awareness training. If you’d like to discuss how you could improve your security posture, get in touch and we’ll help.