Francophoned Attack

utkarsh — Tue, 15 Apr 2014 03:34:36 +0000

Social Engineering is the art of convincing People to reveal confidential information. It is depend on fact that people are unaware of their valuable information and are careless about protecting it.

In the similar way Francophoned is type of sophisticated Social Engineering Attack. In April 2013, In a French based multinational company received an email to an invoice hosted on a popular file sharing service by the administrative assistant to a vice president ,a few minutes later, the same administrative received a phone call from another vice-president within the company ,instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was fake and the vice president who called her was an attacker.

The Invoice was actually a Remote Access Trojan (RAT) that was configured to Command and Control server located in Ukraine. The tactics like email followed by Phone call and using French, are sign of aggressive social Engineering.

Social Engineering Tactics Used in Francophoned Attack

Firstly the attacker compromised the systems using RAT.
Once the systems were compromised using RAT, after that retrieved identifying information and necessary confidential information.
Using the retrieved data the attacker was able to impersonate as authorize representative and called to telecom provider of the organization’s and proved his/her authenticity to the telecom provider, and said that they needed all of the organization phone numbers to be redirected to attacker-controlled phones.
Immediately after the phone number redirection,the attacker faxed a request to the organization’s bank, requesting multiple large-sum wire transaction to numerous offshore accounts.
As this was unusual transaction, the bank representive called the organization’s number on record to validate the transaction. This called redirected to the attacker who approved the transaction.
The funds had transferred through multiple accounts, which were later laundered through other accounts and monetary instruments.

Abhishek Rai
IMS2013017

Evil Twin AP

utkarsh — Tue, 15 Apr 2014 03:33:30 +0000

Evil Twin AP is confidentiality based attack to wireless users on public and Private WLANs.

It is a phony wireless Access Point that pretends to be a legitimate Access Point by advertising the respective WLAN’s name (that is SSID). KARMA tool is used for monitoring station probes, looking for commonly used SSID’s and adopting one as its own. On the other hand those APs that do not send SSIDs in beacons can be monitored and identified by using Wireshark, Kismet or another WLAN analyzer.

Why an AP that uses someone else’s SSID dangerous?

Wireless station generally connects to any AP with a given SSID. In the worse, many station automatically reconnect to any SSID used in the past. By placing an Evil Twin near business users can be enough to trick their wireless devices to associated with a phony AP. Even sometime an attacker who gets impatient waiting for users to roam to the Evil Twin can use tool like Airplay to deauthenticate everyone, forcing immediate reassociation.

Once the Legitimate users connected to an Evil Twin, can use its vantage point to launch many other attacks. For example, any web request can be redirected to the local host through DNS spoofing. A Man in Middle tool like Dsniff that can compromised SSL or SSH sessions by posing as Target Server.

How to Stop these Attacks?

By educating users who are readily connect to any AP to obtain free access of internet, without know to who might own that AP or how that AP may trick them into disclosing Sensitive Data.
Explain them not to accept SSH public keys or SSL server certificates blindly, and the potential consequences of doing so.
In the organizations provide your users with tools that detect or better yet ,prevent unauthorized wireless connection. For Example:
Use Intrusion detection System to spot or block policy associations.
Prevent users from adding unsecured wireless network entries.
Supply mobile users with secure hotspots client to avoid web page login.
Educate users about options for using 802.1X in home WLANs.

However there are many steps that can be helpful to evade Evil Twins, but it may not be practical to eliminate all risks.

Nitin Pandey
Company – Innodata Noida

B'Cognizance » IT Vulnerability

Francophoned Attack

Evil Twin AP