Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8a3766c
commit 035a82e
Showing
2 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
125 changes: 125 additions & 0 deletions
125
_posts/2013-02-25-understanding-a-phishing-attack.markdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
--- | ||
layout: post | ||
title: Understanding a phishing attack | ||
--- | ||
|
||
# {{ page.title }} | ||
<p class="meta">25 February 2013 – Bangalore</p> | ||
|
||
I opened my mailbox today and found a lot of messages from friends saying that they got a twitter DM (Direct Message) from me, with a phishing link. I opened twitter and looked at sent messages and found a lot of them but none of them were sent by me. I was sure that my twitter accont was compromised. | ||
|
||
## Understanding the phishing attack | ||
|
||
One of the tinyurl used in one of the DMs was `http://bit.ly/YQPCXA`. I've wanted to find what it is doing. | ||
|
||
$ curl -I http://bit.ly/YQPCXA | ||
HTTP/1.1 301 Moved | ||
Server: nginx | ||
Date: Mon, 25 Feb 2013 02:30:25 GMT | ||
Content-Type: text/html; charset=utf-8 | ||
Connection: keep-alive | ||
Set-Cookie: _bit=512accc1-00036-074ec-3d1cf10a;domain=.bit.ly;expires=Sat Aug 24 02:30:25 2013;path=/; HttpOnly | ||
Cache-control: private; max-age=90 | ||
Location: http://surl.dk/bvi?fpma | ||
MIME-Version: 1.0 | ||
Content-Length: 115 | ||
|
||
That is a redirect to `http://surl.dk/bvi?fpma`. Followed it again. | ||
|
||
$ curl -I http://surl.dk/bvi?fpma | ||
HTTP/1.1 302 Moved Temporarily | ||
Date: Mon, 25 Feb 2013 02:30:31 GMT | ||
Server: Apache mod_fcgid/2.3.6 | ||
X-Powered-By: PHP/5.3.18 | ||
Location: http://trvitter.com/r3 | ||
Content-Type: text/html | ||
|
||
Still another redirect. followed it too. | ||
|
||
$ curl -I http://trvitter.com/r3 | ||
HTTP/1.1 301 Moved Permanently | ||
Date: Sun, 24 Feb 2013 20:24:39 GMT | ||
Server: Apache/2.2.15 (CentOS) | ||
Location: http://trvitter.com/r3/ | ||
Connection: close | ||
Content-Type: text/html; charset=iso-8859-1 | ||
|
||
`trvitter.com`? This looks like a fishing attack. Notice that the domain name looks similar to `twitter.com'. | ||
|
||
$ curl -i http://trvitter.com/r3/ | ||
HTTP/1.1 200 OK | ||
Date: Sun, 24 Feb 2013 20:26:22 GMT | ||
Server: Apache/2.2.15 (CentOS) | ||
Last-Modified: Sun, 24 Feb 2013 20:26:22 GMT | ||
ETag: W/"ffcd2-4d-4d68239c2c180" | ||
Accept-Ranges: bytes | ||
Content-Length: 77 | ||
Connection: close | ||
Content-Type: text/html; charset=UTF-8 | ||
|
||
<meta http-equiv="refresh" content="0; URL=/g/verify/?&account_secure_login"> | ||
|
||
Another redirect, this time using a `meta` tag. Followed that too. | ||
|
||
$ curl -i 'http://trvitter.com/g/verify/?&account_secure_login' | ||
HTTP/1.1 200 OK | ||
Date: Sun, 24 Feb 2013 20:27:22 GMT | ||
Server: Apache/2.2.15 (CentOS) | ||
Last-Modified: Sun, 24 Feb 2013 19:16:25 GMT | ||
ETag: "ffc88-b0c-4d67d42b11440" | ||
Accept-Ranges: bytes | ||
Content-Length: 2828 | ||
Connection: close | ||
Content-Type: text/html; charset=UTF-8 | ||
|
||
<!DOCTYPE html> | ||
|
||
|
||
<html> | ||
<head> | ||
<meta http-equiv="refresh" content="400; URL=/r3/index.html"> | ||
<meta content="text/html; charset=utf-8" http-equiv="Content-Type"/> | ||
<meta content="en-us" http-equiv="Content-Language"/> | ||
<meta content="Twitter is without a doubt the best way to share and discover what is happening right now." name="description"/> | ||
|
||
<link href="https://si0.twimg.com/a/1349296073/stylesheets/help_center.css?1348784027" media="screen" rel="stylesheet" type="text/css" /> | ||
|
||
<title>Sign in to Twitter</title> | ||
|
||
<link href="https://twitter.com/phoenix/favicon.ico" rel="shortcut icon" type="image/x-icon"> | ||
|
||
<!--[if IE 9]> | ||
<link href="/iefavicon.ico" rel="shortcut icon" type="image/x-icon" /> | ||
<![endif]--> | ||
</head> | ||
.... | ||
|
||
Got it! This is a fake twitter login. Looks like the following when opened in a browser. | ||
|
||
<img src="/files/2013/fake-twitter-login.png" alt="Fake twitter page" style="width: 100%" /> | ||
|
||
My account would have been compromized after I have clicked one of such phishing links and gave my twitter credentials to a malicious cracker. | ||
|
||
## How to secure Twitter account after phishing attack | ||
|
||
**Step 1: Change your password.** | ||
|
||
Use the [advice of xkcd][1] to pick a strong password. | ||
|
||
[1]: http://xkcd.com/936/ | ||
|
||
**Step 2: Delete all messages sent from your account.** | ||
|
||
This'll prevent people from compromising their accounts by clicking the phishing link. | ||
|
||
The twitter website doesn't allow a way to delete multiple DMs at once. I found that [wwww.dmcleaner.com](http://www.dmcleaner.com/) is very useful for this task. You'll have authorize it via Twitter to use it. | ||
|
||
**Step 3: Revoke access to all unwanted apps that are authorized by you. You can find them on `Apps` tab on Twitter settings page. | ||
|
||
See the Twitter Help Center article ["My Account Has Been Compromised"][2] for more tips about securing Twitter account. | ||
|
||
[2]: https://support.twitter.com/articles/31796-my-account-has-been-compromised | ||
|
||
After you secure your account, make sure you [report the phishing link(s) to Google][3]. Google Chrome and Firefox uses that database to warn users when they try to visit those web pages. | ||
|
||
[3]: http://www.google.com/safebrowsing/report_phish/ |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.