How hackers use email

16 September 2014

Interview with

Stephen Kho, Rob Kuiter, Vlad Ovtchinikov at the 44Con cybersecurity conference

Do you use your mobile phone to browse the Internet when you're abroad? If you do, you could be in danger of someone siphoning off your data. We'll hear how in a moment....

But first, email: if an email turns up from someone with a familiar name, and there's a document attached to it that seems to be relevant, or you work in recruitment and someone sends you a CV, you're likely to open it.A computer mouse But these documents are often phony and are a virus in disguise. And when you open them on your computer they deploy a malicious programme called a "payload" that hijacks the machine.

Graihagh Jackson has been at the 44Con conference where she met Vlad Ovtchinikov who looks at ways hackers use to entice us to open malicious documents...

Vlad -   These days, what attackers are moving onto is client side exploitation.  It's when we deliver payload, not directly, not attacking the machine directly from the internet, but we deliver the payload which will infect the system through the email or other means.

Graihagh -   So, I open up an email and how might you be able to infect my computer with malware?

Vlad -   Well usually, scenarios are - we profile our targets carefully.  We construct an email within the context of interest of business of the person we're targeting.  In lots of cases, we use documents.  It contains some smart code within it which will identify the system that it runs on and then it will execute the payloads and will provide us with a reverse access to your system.  This is the primary distribution vector for banking malware.

Graihagh -   So, it's literally as simple as opening up a Word document.

Vlad -   Yes, it is.  From my experience, we were successful, 95% success over that.

Graihagh -   So, how do you convince people to open this document because we all know that you don't open emails from people you don't know, you don't trust, it might contain a software.  People are aware of that.  So, how do you convince them so to speak?

Vlad -   It might be from a national organisation and it might be an email sent to you from a trusted address containing something that's tempting to open.  It might be a payslip from the place or organisation.  So, there are many different associated tricks to make you want to execute a document and run it.

Graihagh -   So, to engage someone, you might say, my colleague 'xyz' salary or bonus and then meant that might be a good way to entice someone.  I know I would be tempted to open up a document that said something like that.

Vlad -   There are many different ways and techniques we can apply in order to persuade the potential victim to run it.  Most of those documents are cleaned up so anti-virus systems that you have installed will not catch them.

Graihagh -   So, once you have access, once you've opened that document, what sort of information can you gain through that?

Vlad -   Everything.  Everything that the user has access to, even more in some cases, we have more access and control over the box that the user has.  So, full access to the user's workstations and the network environment around him.

Graihagh -   What sort of examples do you have that might demonstrate the power of something like this?

Vlad -   Malicious guys, based underground.  so, they'll be able to fish out credit card details from your computers.  They'll be able to see their memory.  It will inject itself into the browser and will compromise everything you see on screen through the browser.  It'll be able to capture any form submissions which you are sending out via HTTPS.  It's called form grabbing.  For example, you visit an HSBC webpage.  Everything looks legitimate but before the browser renders up, the html will be able to inject some additional code into it, so whatever you see will be hijacked.  There might be additional field added to it asking for your date of birth or your credit card number due to security reasons or whatever.  So, everything can be done.  Once you compromise the system, everything on the system as well as everything that sits behind it within that work environment is basically a open air.

Graihagh -   I've learned a little bit about some of the security issues about what happens when you're at home and in the workplace, but what about when you're on your holidays?  Well, I've just stepped outside the conference with Stephen Kho and Rob Kuiters from KPN to talk a little bit about what happens when you're roaming abroad on your mobile phone or tablet.  Normally, when you're at home, you're browsing the web.  That data goes straight to your network.  But when you're traveling in another country, there's an additional network it has to go through and that network is the GRX.  Now, you've both been looking at the security of this additional network GRX.  But first Stephen, what sort of data are we talking about here?

Stephen -   GRX carries the roaming data part.  So, not the voice or your SMS text, but anything you do when you're browsing the internet for example.  So, if you log into yahoo mail, Gmail, your Facebook, all data related goes through across that.

Graihagh -   What's your work revealed?

Stephen -   We discovered actually that so much of the GRX network equipments - so the servers and different systems - were fully out of date, misconfigured, missing patches.  And so, with easily available hacking tools you could reach it and exploit those systems and then subsequently, you could capture this information.

Graihagh -   What sort of information are we talking about?  I know we say we've of logged into Facebook, but does it really matter that they've seen a few friends and I've written that I like that person's photo on Facebook?

Rob -   I think there's more data carried across.  It's not only your content, but also your credentials.  So, you're using your passwords.  You could access all these kinds of information on this network.

Stephen -   On top of that, GTP which is the protocol information, that has your location details.  It also reveals what sort of equipment you're using.  So, if you're on an iPhone 5S or a Samsung S5, that sort of information is available which means that you can have a really targeted exploit against you if you were the person of interest.

Graihagh -   So, it's not just generic sweeping data.  It's actually data that's very, very personal to you.  Surely, that's illegal.  Surely, that shouldn't be allowed to happen.

Stephen -   Well, that's very difficult to say because we don't actually know what kind of legislation or what kind of freedom these intelligence services have.  But you can, if you want to, protect yourself by using a VPN solution.  So, there are quite a few numbers of applications which you can install on your phone which encrypts your information from your phone towards a server.  So, you have additional security measures there.  It's more difficult for them to extract the information out of that traffic flow.  That's the kind of protection you can take care of yourself.

Add a comment