Layering: Cybersecurity uses multiple layers of defense when protecting information or resources. If one layer is defeated the next layer should still be defending.
Information Hiding: Information hiding is any attempt to prevent people from being able to see information. It can be hiding the content of a letter, or it can be applied to hiding how the letter is delivered. Both ways can prevent people from being able to see the information. This lesson looks at how malicious information can be hidden in URLs or other data fields.
Obfuscation means the act of making something obscure, unclear, or unintelligible. In this sense, it means to make code that is intentionally hard to read, usually to prevent the code of an atttack from being easily read.
Examine this link: https://robinagandhi.github.io/phishing-demo/obfuscated.html
Spammers use such obfuscation to avoid detection and analysis. Navigate away from such pages or delete emails that have gone to such lengths to conceal their “trickeries”.
Just viewing the source files for obfuscated pages provides no useful information. But if we put our minds to it, we can defeat the bad guys. Navigate back to the obfuscated page. Then right click on a blank area and select
Inspect Element. In the
Elements tab unravel the HTML code that is computed by the browser to render a human readable page. Now it should look similar to the phishing page from before:
The developer tools built into the browser also help us see right through the obfuscated data.
Examine links on this page: https://robinagandhi.github.io/phishing-demo/encoding.html
Have you seen links like this before? Examine the page source (right click the blank area and click
Now click on the URLs to reveal their true destinations. How is this working?
Most humanly readable domain names map to IPv4 addresses. IPv4 addresses are 32-bit binary numbers. Typically, they are expressed as 4 sets of decimal numbers from 0-255. For example,
unomaha.edu maps to the
184.108.40.206 IP address.
It just so happens that 32-bit IP addresses can be expressed in Octal, Decimal and Hex formats. Browsers know how to interpret IP addresses in these formats.
Links #1-3 are explained below for an IP address that maps to
220.127.116.11 # One of the IP addresses for google.com Decimal (Base 10) and Hex (Base 16) Encoding First, convert to Binary (Base 2) 216 = 11011000 58 = 00111010 194 = 11000010 36 = 00100100 Combined Binary: 11011000001110101100001000100100 Decimal equivalent: 3627729444 --> http://3627729444/ Hex equivalent : 0xD83AC224 --> http://0xD83AC224/ Octal Encoding (Base 8) Octal equivalent numbers need to be padded with a leading zero. 216 = 0330 58 = 072 194 = 0302 36 = 044 Octal equivalent: http://0330.072.0302.044/
Security Tip: Never visit links that have IP addresses or numbers as their web address. These are most likely machines connected to the Internet with no legitimate domain name mapping, which means there is no validation. Anybody can set them up with an Internet connected machine.
URLs embedded in HTML pages can be encoded in Hex or Decimal encodings. Link #4
href generation is explained below.
ASCII Encoding for www.wellsfargo.com Hex Encoding (Starts with % sign) www = %77%77%77 Decimal Encoding (Starts with &#) wellsfargo = wellsfargo.com Final URL: http://%77%77%77.wellsfargo.com This forms the href attribute of Link #5. ASCII Table: http://www.asciitable.com/index/asciifull.gif # This is a useful resource for ASCII to hex, decimal conversions The `HTML` column in the ASCII table explains how obfuscation on this page works. For example, `w` maps to the letter `w`. A browser does this automatically and renders a humanly readable webpage. Dev tools (Inspect Element) should also help.
Link #5 is an image map. Different regions of the image are mapped to different URLs. Try hovering your mouse over the image starting from the far right, slowly moving towards the left. Notice the change in links in the status bar. Spammers trick victims by embedding images with a mix of malicious and legitimate links using this technique. For example, by chance, you may hover over an image area with legitimate links when checking the status bar, but then click a different (malicious link) area to visit the linked website.
Crafting URLs is just one part of the deception used by spammers. Spear-Phishing is a social engineering technique where a spammer uses intimate details about your life, your contacts, and/or recent activities to tailor a very specific phishing attack.
Watch this 3 min video (if you do not have audio, it is OK):
There is a ton of information on the web pertaining to most of us. This is true even if you do not use social media. Voting registries, court records, county and property records, phone books, online review sites are just some examples. If you use social media, then there is a lot more information to collect. All you need is your target’s name to start reconnaissance.
You may have to pick out yourself from other people who share your name. But that should be easy with additional information about your age and location.
Sites like Facebook, Linkedin, company websites, organizational charts and employee directories, make it easy to craft emails from colleagues, friends, and family. There are commercial tools available to collect what is called Open Source INTelligence or OSINT. Here is a tool that does just that: https://www.paterva.com/web7/buy/maltego-clients/maltego.php
Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet.
Security Tip: Even when clicking on links in emails or websites shared by close colleagues, friends, and family; trust but verify. This advice will seem even more reasonable after going through the Email analysis module.
GPS-enabled smartphones allow photos, videos, messages and social media posts to be Geotagged. Location information is embedded in the metadata for media alongside file name, date, camera information, etc. When geotagged media is shared publicly, location information is often inadvertently shared along with it. Such information aggregated over time starts to reveal private information such as: work and home locations, daily routines, frequented places, vacation destinations, shopping places, and much more.
Tools are freely available for conducting Geolocation OSINT. For example, this tool is aptly named geoCreepy!
Source code: https://github.com/ilektrojohn/creepy
To spread awareness of this issue, an educational web application has been developed.
http://app.teachingprivacy.org (Beware of the “.com” version of this site. This is called
This web-application takes a twitter handle and aggregates all publicly available geotagged information on a map. For example, here search for the twitter handle @stevewoz for Steve Wozniak, co-founder of Apple.
It is often prudent for celebrities and politicians to turn off geotagging in their posts. Here is Donald Trump’s twitter account. He (or someone on his behalf) has taken appropriate steps to avoid leaking information about his whereabouts through social media, even while leaking hot air.
To prevent inadvertent sharing of geolocation data, turn off location services for social media applications. Also, remove geotags from photos before sharing them on social media. Here is some more guidance: http://teachingprivacy.org/prevention/#location
Protecting privacy requires Information Hiding. Deleting or hiding metadata prevents sensitive patterns from being learned over time. This is true even for encrypted
https Internet traffic. While
https encryption protects message contents, it still reveals the communication endpoints. Over time an accurate communication graph can be built by examining many such communications. To conceal browsing patterns over the Internet, Virtual Private Networks (VPN) are very effective. VPNs work by forming a tunnel between your current connection and a known network (such as the unomaha network). Once a tunnel is formed, all requests you make appear as if they originate from within the known network, since they emanate from the location you have tunneled to.
Lesson content: Copyright (C) Robin Gandhi 2017-2018.
This lesson is licensed by the author under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.