This article of mine was first published on iViZ Security Blog!
Here is the actual article
Hacking email account is probably something which intrigues all of us. Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technology.Here we will discuss about an advanced way which can be used to perform an advanced automated phishing attack.
As cyber awareness is increasing day by day,number of failed phishing attempts is also increasing. Most of the Internet users goes through few check before entering critical information like user name password in an web form.This approach is a kind of an indirect phishing attack.Here instead of asking victims directly their user name and password attacker will put some challenges to victim which Google or any other email service provider gives us while trying to reset the password of his/her Email account. When victim solve those challenges we will take the solution of those challenges from victim and submit it to actual server and successfully reset password in an automated manner. These challenges can be related to answering security questions or SMS based password reset.
Attack Strategy at a Glance:
Here our main intention is to abuse the same password reset functionality of various email service providers in a smarter and automated manner.We will use selenium and its Python WebDriver api to automate this entire process.Selenium is a software testing framework for web applications. Selenium can automate browser locally or remotely. http://seleniumhq.org/.) We will write a custom selenium web server in python and a dynamic fake survey form in PHP. The fake survey form will communicate with selenium web server using its custom APIs in back end(using PHP curl or something similar thing).
Step 1: Start the custom Selenium Server
First we will start our custom selenium web server and host the fake survey form to any hosting service provider supporting PHP and PHP Curl. And we will send the link of that fake survey from to victim.
After the server is started this custom selenium web server will be always monitoring the victim’s activity. When victim visits the fake survey form its will inform the selenium web server through PHP curl that victim has opened the page.
Step 2: Send the custom form to the target
Create a fake registration form of anything you like form which will ask the user for the email id. You can create a new interesting free coupon for restaurants, free download etc. When the victim user will enter his/her email id our the custom web server will try to recover the password of that entered email id received from fake survey from using selenium webdriver api automatically. As selenium is quite fast it will take maximum 5 to 6 seconds.
Step 3: Automatically initiate the recovery password reset process
Almost all well known web mail providers (e.g. Google Yahoo etc.)uses some anti automation techniques (Captcha)in these type of critical steps. And those captchas are not very easy to crack by human being also so trying to crack those with available OCR engines will be waste of time.So human effort is must to break those captcha. How? We have a trick for that also.
Step 4: Send back the captcha/secret question/any challenge to the user to break
After detecting an anti automation on page, our selenium web server will extract the captcha from password recovery form and ask the victim to solve the same captcha.When the victim will solve the captcha it will take that answer and submit the actual captcha form.BINGO!
When captcha is cracked it will face the first security question(if its available), then it will extract the first security question from actual password recovery form and add the question in the survey from with other fake questions to make the survey form bit more realistic.
Step 5: Send the user response to Gmail and reset the password
When the victim will answer that question it will instantly take that answer and submit it in actual password recovery from.We expect that the victim will answer the security questions correctly.
After that when it will face the second security question and it will treat this in the same manner. When its done upto this level it will change the account password to our desired one automatically.
Abusing SMS/Email Based Password Recovery system using the same technique:
SMS/Email Based Password Recovery system can also be abused using the same technique. If we consider gmail then it will be like when out custom selenium web server will detect that there is not option from Security question in password recovery from of target email account it will go for SMS based password recovery option. Generally google’s web application discloses the the last two digits of given phone number and it will send the SMS to that phone. Our custom selenium web server will also do the same. It will directly extract the last two digit from recovery form and send it to victim. The phishing from is designed is such a way that it will say something like this
“Hey you have to go through a verification process to download this software package. Please enter your mobile no.We will send a verification code through Google to that number”.
Luckily Google sends the password recover code through SMS very poorly. It will just send a sms like
“Your Google Verification Code is :123456”.
Within a second after entering the mobile number our selenium web server will submit the mobile number and the victim will receive the password reset code from Google. As currently no indication is present in that SMS sent by Google that its a very critical code not like other verification code, so its very obvious for a general Internet user to trust the application and share the password reset code.
In the next step it will ask for the received code and after getting the code our selenium server will do the rest part which is changing the password.
As password recovery sections are very critical, service providers maintain very strict session information in these areas. Automatically passing these sections is very tough by sending http requests using any scripting languages. If some thing goes wrong it will entirely destroy the session so chances of attack getting failed is very high.If we consider gmail the application is very much dynamic so parsing java scripts from http response and getting required values is very much difficult.
A Very Basic Custom Selenium Web Server Code Used in this Demo: