How hackers seduce gullible browsers

16 Oct

Even the FBI is vulnerable to hack attacks, particularly by autistic UFO-hunters

I received an email today with a link to a free Chase and Status download. Clearly the band are promoting their new single, and I am on the mailing list because I follow them on Twitter… in which case, why did they ask for my email in order to add me to the mailing list? Do they really need permission to send me news? Or was the promotion completely unauthorised? I have subsequently deleted all potentially malicious cookies, so will never know.

The URL redirected me to YouTube, where there was indeed a button that ostensibly allowed you to download the band’s new music video, ‘Big Man,’ at no personal cost. Begs the question why it didn’t send me to the official Chase and Status website. Could it all be some elaborate ruse? It is common knowledge that scamsters often create fake webpages as a front for malicious html commands. Simply by clicking on the URL, you authorise whatever piece of code they have scripted.

One possible malicious action this ruse could represent is cross-site request forgery. An official site – say iTunes, or HSBC, – will usually store each user’s authentication information in a cookie, provided they have visited it fairly recently. It could still have the victim’s secure ID stored and linked to their IP address. The hacker’s piece of code could make the browser of anyone who clicks on the URL send an HTTP request to this ostensibly secure site, and perform a scripted command. Like a transfer of money, or the download of a virus-ridden music file.

Another older tactic is cross-site scripting, which exploits the concept of ‘same-origin policy’, the precept by which, one a user enters their secure ID and access the site, that website will in turn have access to parts of their system. A scamster can fold malicious content into the trusted server or web-based application. For example, when entering information into an online dating profile, one could put a secret message at the end of the question “Describe what you are looking for in a man”. This message, hidden between the >script< brackets, could extract information the website keeps concealed for privacy reasons, like contact details – or the user’s bank account and credit card number. Every time a browser clicked on the hacker’s “Describe what you are looking for in a man” box, they would authenticate the command extracting information they had willingly given the website.

Both these methods rely on the user’s trust in a seemingly official site; with the latter, the site itself is genuine and there is no need to click on a malicious external URL, because it freely accepts data provided by contributors without trying to authenticate it. The lesson really is only ever to visit links from sources that you trust, and try not to post sensitive information on social networking forums even if the application claims to guarantee your privacy.

Finally, to really mess with your mind, I bring you the omnipotent LogMeIn web interface (similar applications include the GoToMyPC and Windows RDP), a neat piece of software used by IT technicians to view and control your device remotely. It relies on the device owner’s consent to gain access originally. But, as we have seen, there are a number of ways to artificially generate a session identifier based on browser history or scripted commands. Where these approaches fall through, some outfits call up unsuspecting users masquerading as Microsoft’s help service. They call up and tell you your computer is ridden with viruses, and they need your permission to go in and fix it. In a matter of hours they can steal all your most sensitive documents, login details and so on. In the words of my friendly local IT man, be careful on the internet of things pretending to be something they are not. The more seductive something appears, the more likely it is to rinse you out for everything you are worth.

var _gaq = _gaq || [];
_gaq.push([‘_setAccount’, ‘UA-35862905-1’]);

(function() {
var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true;
ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl&#8217; : ‘http://www&#8217;) + ‘’;
var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s);


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: