Social Engineers Attacks Web Users Via New Web Vulnerability


A New web vulnerability allows social engineers to attack web users more effectively. The attack has been dubbed reflected file download (RFD), which cons users into downloading malicious executable files that are not actually hosted where they appear to be.

Attack Scenario

When the user clicks on a specifically crafted link to a legitimate site, the browser offers a file for download with an executable extension like .bat or .cmd that contains shell commands or script files that will be executed through the Windows-based script host.

Actually, the contents of the file are passed through the attacker-generated URL that the user clicks on, the website reflecting the input back to the browser as a file download.

Since the file is not physically located on the target site, this attack is a powerful tool for hackers. The file download is very convincing, because it appears to originate from the legitimate site.

For example, when a user visits using a link( looks like :*demo...), the web browser offers a file for download. That file is not from the google, but from the URL itself. That is, the reflects the input from the URL to user as a downloadable file. After the download the user get infected with a malicious program.

Discovery Of RFD Attack

The RFD is discovered by Trustwave security researcher Oren Hafif. Hafif has presented the attack at the Black Hat Europe security conference on Friday.

Vulnerable Website:

  • Sites that use JSON (JavaScript Object Notation) or JSONP (JSON with padding).
  • Sites that don’t use JSON.
He calls the RFD attack as "Uploadless Download" attack, because it doesn't need to upload any files. The attacker can gain full control over the user's machine by using RFD attack.

He also found a way to bypass the warning that Windows displays when trying to run an executable file downloaded from the Internet, making his attack even more powerful.

For more details download the Oren Hafif's PDF here

No comments

Powered by Blogger.