If you navigated to your spam inbox right now, how many emails are in there that look like obvious phishing emails? If it’s anything like mine, it’s a lot. I’ll show you what could be behind that link in your spam mail. This isn’t to say every phishing email is meant to turn on your webcam, because they’re not. In reality a very very small portion will direct to some type of exploit, but I’ll show one of many possible attacks.
So to demonstrate, I’m using a pretty old version of Java. Chances are you’re not running this version, but there’s several other versions this exploit works for, so if you haven’t updated Java in awhile, you should probably update. It’s annoying, but that’s security.
This is showing the description of the exploit, which in summary takes advantage of a string in code that accesses another part of code where it shouldn’t be able to and allows injection of malicious code to spawn a reverse shell (a shell is a window where commands can be passed to the operating system). Now, normally this exploit will be hosted on a website instead of on just a regular machine. What I mean by this, is that when you visit an infected website, you will automatically trigger the java exploit just by simply going to the webpage. So normally, in a phishing email, the phony link will just send you to the malicious website hosting the exploit, or more realistically a legitimate website that has been hacked and in turn, forced to host the exploit.
The above picture is showing all the settings that goes into the attack. The payload is a meterpreter reverse TCP shell, which I’ll explain later. The important bits are the LHOST, which is my PC’s IP address, LPort, which is the port the attack is communicating to me over, and finally at the bottom is the URL. So the URL is just my IP address. As I said before, normally this would be a website name but for demonstrative purposes I’m hosting the exploit on my PC.
At this point my machine is just now waiting for someone to click the link, but to deliver it I’ll do something with phishing emails.
So we make a string of text a hyperlink, like below, that just points to our malicious URL.
We compose a clearly obvious phishing email and hit ‘send’. The actual email itself can look extremely legitimate with the only red flag being the sender, but I’ll just show something simple here.
Over on the victim’s side, I open up the email and click the link.
Clicking on the link opens the Java pop-up show below. This displays for about half a second, to the point where if you blink you’ll miss it. After Java launches, it just either exits the browser or goes back to the page you were just at, like nothing ever happened.
So Java launched and the exploit has worked. This is what the victim sees. Notice the upper left hand corner and the java instance on the task bar at the bottom.
A Java instance is clearly running, but even if you click out of it, the process is still running.
And this is what the attacker sees
In the text box, it shows I have a Meterpreter session open, which is a type of specific type shell that allows me to pass more commands than a normal shell. Here’s a full list of options (slideshow):
This is where the attacker is able to turn on your webcam if you have one.
They can steal files, make myself a backdoor, watch your desktop, basically anything they want. So how do you stop it? You can kill the process in task manager, and you can reboot. However, some exploits will just restart them selves upon reboot. The best case of defense is to just use your head and common sense. Verify the sender is actually who it seems to be and pay attention to where that hyperlink is actually going.
Moral of the story:
- Don’t click on links in emails from people you don’t know
- Update your software, not just Java.