Watering Hole Attack PDF
Document Details
Uploaded by barrejamesteacher
EC-Council
Tags
Summary
This document details the watering hole attack and the man-in-the-browser attack. It explains how cybercriminals inject malicious scripts or codes into websites targeted at vulnerable individuals or organizations. It emphasizes financial security and security mechanisms.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Watering Hole Attack © When the attacker identifies vulnerabilities in the website, the attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machi...
Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Watering Hole Attack © When the attacker identifies vulnerabilities in the website, the attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine This attack is called a watering hole attack because the attacker waits for the victim to fall into a trap, similar to a lion waiting for its prey to arrive at a watering hole to drink water When the victim surfs |l h the webpage redirects to a malicious server, leading to malware being downloaded to the victim machine, compromising the machine as well as the network/organization Attacker identifies the most visited site by the victim and infects it to redirect and download malware Victim is redirected to the malicious server to download malware > Victim > Malicious Server Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited Watering Hole Attack In a watering hole attack, the attacker identifies the kind of websites frequently surfed by a target company/individual and tests these websites to identify any possible vulnerabilities. Once the attacker identifies the vulnerabilities, he/she injects a malicious script/code into the web application that can redirect the web page and download malware onto the victim’s machine. After infecting the vulnerable web application, the attacker waits for the victim to access the infected web application. This attack is called a watering hole attack, as the attacker waits for the victim to fall into the trap, similar to a lion waiting for its prey to arrive at a watering hole to drink water. When the victim surfs the infected website, the web page redirects him/her and downloads malware onto his/her machine, compromising the machine and indeed compromising the network/organization. Victim is redirected to the Attacker identifies the most visited site by the victim and infects it to redirect and download malware B T malicious server to download malware..... sessssssssssssnssasssssssssiasssd Sesssnnsssnnannns 3 Attacker Victim Malicious Server Figure 2.40: Watering Hole attack Module 02 Page 247 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 The man-in-the-browse calls between the b O It works with an already installed Trojan horse and acts between the browser and its security mechanisms Its main objective is to cause financial deceptions by manipulating transactions of Internet banking systems Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited Application Level Session Hijacking: Man-in-the-Browser Attack A man-in-the-browser attack is similar to an MITM attack. The difference between the two is that a man-in-the-browser attack uses a Trojan horse to intercept and manipulate calls between a browser and its security mechanisms or libraries. An attacker positions a previously installed Trojan between the browser and its security mechanism, and the Trojan can modify web pages and transaction content or insert additional transactions. All of the Trojan’s activities are invisible to both the user and web application. The main objective of this attack is financial theft by manipulating transactions made using Internet banking systems. A man-in-the-browser attack can succeed even in the presence of security mechanisms such as SSL, public key infrastructure (PKI), and two-factor authentication because all the expected controls and security mechanisms would seem to function normally. Steps to Perform Man-in-the-Browser Attack: = The Trojan first infects the computer’s software (OS or application). = The Trojan installs configuration. = After the user restarts the browser, the malicious code in the form of extension files is loaded. = The extension files register a handler for every visit to a webpage. * When a page is loaded, the extension matches its URL with a list of known sites targeted for attack. = The user logs in securely to the website. Module 02 Page 248 malicious code (extension files) and saves it in the browser Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = = Exam 212-82 The extension registers a button event handler when a specific page load is detected with a specific pattern and compares it with its targeted list. When the user clicks on the button, the extension uses the Document Object Model (DOM) interface and extracts all the data from all form fields and modifies the values. = The browser sends the form and modified values to the server. * The server receives the modified values but cannot distinguish between the original and modified values. = After the server performs the transaction, a receipt is generated. * Now, the browser receives the receipt for the modified transaction. * The browser displays the receipt with the original details. * The user believes that the original transaction was received by the server without any interception. Module 02 Page 249 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Application Level Session Hijacking: Session Replay Attack Y.. In a session replay attack, the attacker listens to the conversation between the user and the server and captures the authentication token of the user Once the authentication token is captured, the attacker replays the request to the server with the captured authentication token and gains unauthorized access to the server < User establishes connection with server > Server asks for authentication information for the sake of identity proof = 9 Attacker eavesdrops on this conversation and captures teeeeennd _o authentication tokens of the user Attacker replays this captured authentication token to server to gain unauthorized access Copyright © by | L Al Rights Reserved. Reproductionis Strictly Prohibited. Application Level Session Hijacking: Session Replay Attack In a session replay attack, the attacker captures the authentication token of a user by listening to a conversation between the user and server. Once the authentication token is captured, the attacker replays the authentication request to the server with the captured authentication token to dodge the server; consequently, they gain unauthorized access to the server. A session replay attack involves the following steps. = The user establishes a connection with the web server. * The server asks the user for authentication information as identity proof. * The user sends authentication tokens to the server. In this step, an attacker captures the authentication token of the user by eavesdropping on the conversation between the user and server. * Once the authentication token is captured, the attacker replays the request to the server with the captured authentication token and gains unauthorized access to the server. Module 02 Page 250 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks 0 Exam 212-82 User establishes connection with server e L P T P PP PP PP TR Server asks for authentication information for the sake of identity proof = 9 User sends authentication tokens User Attacker eavesdrops on this conversation and captures authentication tokens of the user A : Attacker replays this captured authentication token to server Attacker to gain unauthorized access Figure 2.41: Prediction of session ID using a session replay attack Module 02 Page 251 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.