Showing posts with label #cyber. Show all posts
Showing posts with label #cyber. Show all posts

Friday 12 January 2018

, , , , , , , ,

DDE Attack


In the recent weeks we are more and more often reading news that talks about attacks that exploit DDE technology, Botnets that exploit the DDE attack, Ransomware that are distributed via DDE attack and so on.
Well, this is the right time to clarify this technology and this new attack way.

Let's start from the basics, what is DDE?
DDE, which stands for Dynamic Data Exchange, it is an interprocess communication system (IPC) introduced for the first time in 1987 with Windows 2.0.
This technology and its functionality have been largely supplanted by OLE - Object Linking and Embedding. However, DDE is still used due to its simplicity.

Like macros, DDE is a legitimate feature of Microsoft Office and allows to share a set of data between applications. For example, you could create a Word document linked to an Excel document so that the data in the first one will be updated automatically whenever are you changing Excel spreadsheet data.

In which way this attack is bring out?
Performing a DDE attack is very simple. Just add the string {DDEAUTO} to call the DDE feature, , in the text of a Microsoft Word document, followed by the command you want to run, all within the braces.

Can it be used only in Office documents?
No, not only Microsoft Office documents.
This attack can also pull off via Outlook, by sending an email, an email or an appointment, known as "calendar" in company jargon.


Now we are going to create a formatted content using Microsoft Outlook's "Rich Text Format" (RTF) and insert the malicious code inside it and save it as email. Next step will be to attach this one to the email we'd like to send, write a a title and a text to attracting victim's attention and push it to open it.


What can you do with this attack?

In which DDE attack would be used:

  • to send a computer in Denial Of Service (DOS) by running countless instances of a specific software until the available resources are saturated;
  • running software or scripts that could give full control of the computer to the attacker;
  • download malware to use to exfiltrate data.


How to recognize fraudulent content?
When you are opening the file, a warning message is showed to you. It is warning yo that the file has an external contents and asks for confirmation to continue.


If your chiose has been "YES", a new message will be displayed asking if you want to run a specified application. The in example below the command / application quoted is "cmd.exe".


However, it should be noted that the information concerning the execution of the command can be hidden or omitted by editing the syntax of the malicious code.

How to defend yourself?
When the warning message realated external contents has popped out, clicking "No" block the attack attempted.


You can also defend yourself better by changind setting and display all messages in text format.
However, this workaround involves the deactivation of all formatting, colors and images from all incoming e-mails and consequently some contents could not be rendered.

Why this new attack?
Cyber criminals are starting to use DDE technology because it is different from macro and because they are always looking for new ways to mislead the victim.
For years we are witnessing attacks based on the macro but fortunately you can disable this technology and therefore prevent malicious content from being automatically performed when the file is opened.
This new way, though it has some limits dictated by the interaction with the user, could lead an untrained or careless person to think that it is an error that occurred due some file's errors.
In the last weeks this new attack way has grown exponentially thanks to the fact that you do not have to send attached to the email documents of Microsoft Office or PDF, but just attach another email or a "calendar".


Please note, this article was created in the end of October 2017, but only at this time I have been able to publish it.

Wednesday 18 January 2017

, , , , , , ,

Retrieve Personal Information using Boarding Pass Published on Social Networks




This article want to be a POC (Proof of Concept) about how an attacker with bad intention could use your pictures published into Social Networks to retrieve information about you.

Are you readyyyyy?? ...Here we goooo!!

In the last days I discovered a Web Site that works like an OCR, it can reads the content of a Barcode Image uploaded. Barcodes type supported are:

  • Code 39, 
  • Code 128, 
  • PDF417, 
  • Barcode Postal (IMB, 4state), 
  • QR code, 
  • DataMatrix Barcode, a
  • Driver License, 
  • ID cards Barcode.


I started joking with different pictures that I found on different social networks, during my jokes I have been captured by a boarding pass' picture.

I decided to use it and try to identify the content of the barcode printed in it.

The first test failed, the second had the same result and then I decided to change Social Network. My first idea has been Instagram.

I looked for "boarding pass" using hashtag (#boardingpass) and I received more than 60.000 results.

I decided to focus my test on the picture reported below (it is censored for clear reason).

I copied the barcode, I saved it and then upload it on the website...I waited just 2 seconds and Bhoooommm! Data was reported into the web page:

  • Name's passenger,
  • Surname's passenger,
  • PNR code, 
  • Departure place, 
  • Destination place, 
  • flight's number and so on...



Reading these data, came back in my mind my last trip and the email received from the flight's company. If I remember well, its contents was a PNR code and other flight's information...I checked my mail box and luckily I have not had deleted it!! It was still there! :)


The flight's company sent to me a PNR code in order to use it, in association with other personal data, to give me the opportunity to do Check-In, Checks my booking and so on.

So, absolutely you have just in your mind what had been in my mind after my little learn.
Yes, it is right! I'd like to retrieve more personal information about this person from flight's company web site. Well, I will try!

...But, what is the flight company's names? From the boarding pass' pictures was hard to retrieve it and I decided to use the information inside the barcode to achieve my goal. Into the barcode's data the third part contains information about flight, I putted them into google flights website and...Bhhoooommm!! I retrieved a list of flight's companies that make this route.

The next step was easy, I checked the web site of the company in order to find the area where I can check booking.

The web page showed a form where PNR, Name and Surname were required. Doh! I need a Name and Surname of this person...I decided to come back to Instagram in order to retrieve info about this person.

It was not a hard work, the person has as "account's name" his name and surname.

OK, now I had everything I needed, I inserted the data and... (look by your self!).

Into the web page is reported everything, (Name, surname, ticket's price, date, etc.)


PLEASE, NOTE
This is only a demonstration about how much is dangerous to publish your pictures on social network!! It is not a way to force someone to perform dangerous and illegal acts!!!

TAKE CARE TO YOUR PRIVACY AND YOUR PERSONAL DATA!!


NOT PUBLISH YOUR PERSONAL INFORMATION ONLINE!