She was a hacker. He was a botnet.
The love story of a phishing attack
The day my hacker co-worker and best friend decided to open Tinder, I was a bit reluctant about her decision. With two hearts broken in her pocket, plenty of Cosmopolitans and a couple of nights with a blank space between 12 am and 12 pm, I thought stability was definitely not the forté for describing her current situation.
After two weeks of late night working trying to intrude into our monthly customer’s network, we finally found a unpatched machine that allowed Eternal Blue to do its charms. We were exhausted. We just wanted a hot shower and a warm bed. That’s why I proposed Margaritas.
After two rounds and some hot guys in the corner waiting for the right moment to jump in, I proposed my friend to go away for the weekend to a cabin in the woods in the middle of Veluwe. No guys. No computers. No exploits. No malware. No nothing. Just cosmopolitans and maybe some dry martinis. She said yes.
When we arrived to the cabin, the weather was beyond perfect. We swam, we cook, we hiked, we read and we slept. Around 7 pm we started to fill the chills of an autmnish dutch evening and we decided it was moment to jump in our pajamas, get some martinis and start to swipe right. We knew that we promised no guys, but technically they were not there. At least that is what we thought.
It was around 9:00 pm when this astonishingly good looking guy started a conversation with my friend. He was less than 1 km away, so we thought that if things were going right, we may break one rule. Or two:
-Hey beautiful neighbor! How is the wild life treating you?
-Life here is good thanks. This weather suits me very well.
-Wow! Quite a revelation for a lady coming from Sao Paulo.
Our brains froze a little. How this guy knew my friend was coming from Sao Paulo? She was always very careful disclosing her personal information in dating apps. Thanks to our pen-tester jobs, we knew that social media was the perfect place for future social engineering attacks.
-How did you know I come from Sao Paulo?
-Well… I may be honest, and maybe I stalked you a little bit on Facebook.
-Well, that is even weirder because I don’t have Facebook.
There was a long pause when he didn’t answer. We were hyperventilating, not knowing if this guy was going to answer again and astonishingly worried by the fact that according to Tinder, he was less than 1 km away.
And then, after 10 min he answered:
-Ok then, what is this over here: <http:…>
We were freaking out. She was freaking out. Her emotions were taking all over her body. She was about to click on the link, when I said: STOP.
Stop. Isn’t this it? Isn’t this what we have been preparing all our adult life for? Isn’t this the reason of why we have food in our tables, and clothes in out wardrobe? — I said.
All the signs are there:
- An appealing sender
2. A message that is triggering an emotion
3. Someone asking you to do an action
4. A payload: In this case a link.
This is a phishing attack.
She looked at me with a face as she has seen a ghost. In a matter of seconds she came to her senses. And it all made sense. It was clearly a phishing attack.
In that moment, we ran to the car and instead of running away, we took the computers that we left on the trunk. We came back home, we went straight to the kitchen table and opened our Virtual Machines and started Kali Linux. And while the dragon was loading on our screens, we had another Cosmo.
We copied the link in Virus Total and we created an isolated proxy server to analyze the URL. The URL took us to a site where remote code started to be executed. With the help of Burp, we tried to analyze the source IP where the traffic was coming from, but it was pointless. It was redirecting a small island not so far away from the French Polynesia. Clearly someone didn’t want to get caught.
Was she victim of a Spray and Pray? Most likely not. Why someone targeted her? We don’t know. There were many questions that still remained unsolved. And many memories that remained from that trip over the weekend.
Phishing attacks are a real threat. They can be so subtle, so elegantly done. So natural. That even the most seasoned hacker can’t hardly see. This was the moment when I realized that phishing is not a campaign or an awareness training. It is a weapon. And a very real one.
In the meantime, my friend erased her Tinder. Not because of the incident of the cabin, but because she downloaded Bumble.
This story was inspired on true events. Names of people and places have been altered in order to the secure the privacy of the people who are involved.
