How Does This Apply to Online Investigations? I now knew that the incident response team was on to me, and that it was time to switch tactics.īut this also raised a much larger issue in my mind when it came to online investigations, incident response and running covert online operations. I performed a couple of quick tests using my own Skype account, and sure enough, I could reproduce the issue easily. Someone was discussing my command and control system during a Skype chat, and Skype was generating previews of the phishing site I had setup. Now I was really wondering what was going on. This was a WTF moment for me since my phishing server was brand new and there didn’t seem to be a good reason why a Skype server would be touching it.Ī few minutes later another hit from a different Skype server. They had one of the most brilliant CISOs I had ever met and an absolutely amazing incident response team on staff.Īfter I sent the initial round of phishing emails I was monitoring my command and control server to look for connections from users, anti-virus, or anything else that might indicate that I was either having some success or was about to be caught.Īfter a few hours there was not a lot of activity until my web server received a connection from an IP address that resolved back to Skype. You’ll see why very shortly… A Little HistoryĪ few years ago I was on a penetration test where I was attempting to spearphish executives at a well known corporation in Europe. This small and subtle change in context is actually quite an important distinction. The difference with URL previews in messaging applications is that you are broadcasting to the website owner that you are discussing the website, as opposed to just browsing to it. This is just how the Internet works unless you’re using Tor or a VPN to hide it.
In some cases this can equate to you disclosing your public IP address in a manner that you likely wouldn’t want.ĭon’t forget: when you browse to a website your public IP address is exposed. The downside is that a lot of applications generate these previews without you knowing what is happening behind the scenes. They allow you to paste a URL to a friend or colleague, and have a handy miniature view of the website you are about to view. URL previews are a nice feature found in most messaging applications.
0 kommentar(er)
