Exploiting Cross-Site Scripting Vulnerabilities to Improve the Effectiveness of Phishing Attacks
Paltsev, Aleksandr (2024-05-24)
Exploiting Cross-Site Scripting Vulnerabilities to Improve the Effectiveness of Phishing Attacks
(24.05.2024)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2024060645699
https://urn.fi/URN:NBN:fi-fe2024060645699
Tiivistelmä
Social engineering attacks are traditionally included in the list of the most dangerous threats to information security. The information security community is aware of this and makes every effort to mitigate risks by combining technical and organizational countermeasures. Technical tools such as anti-spam filters and artificial intelligence-based sandboxes demonstrate high effectiveness against phishing attacks. Commercial email security products can, among other things, unpack encrypted file attachments, crack passwords on the fly, and analyze text and technical data to determine the overall trustworthiness of the sender. Mail sandboxes are capable of running attachments in an enterprise environment and can effectively identify malicious attachments.
While the most powerful attack vectors spotted by researchers used zero-day vulnerabilities, the most basic cross-site scripting (XSS) vector in phishing can still be dangerous. In the most common scenarios, an attacker changes the web page content of an internal resource to collect credentials. This thesis aims to study the main schemes of phishing attacks on organizations and consider their effectiveness from the point of view of the attacker. Since existing anti-phishing measures show high effectiveness, this thesis utilizes common XSS vulnerabilities and looks at them from a new angle to increase the effectiveness of social engineering attacks. In this regard, the thesis proposes an exploitation framework that exploits XSS to embed a customer chat support feature, tricking the user into believing it is a website feature. The chat features under the control of the attacker can be used to perform a variety of actions, like downloading malware or stealing personal information.
The solution was tested in practice and showed the high effectiveness of a phishing attack using XSS compared to a traditional phishing attack. According to the results, out of 100 phishing emails sent, 12% were opened, 7% of users considered the message reliable and responded to the authentication forms sending credentials. 2% of users entered into correspondence with the attack administrator and ended up running a malicious file transmitted through the interactive chat.
While the most powerful attack vectors spotted by researchers used zero-day vulnerabilities, the most basic cross-site scripting (XSS) vector in phishing can still be dangerous. In the most common scenarios, an attacker changes the web page content of an internal resource to collect credentials. This thesis aims to study the main schemes of phishing attacks on organizations and consider their effectiveness from the point of view of the attacker. Since existing anti-phishing measures show high effectiveness, this thesis utilizes common XSS vulnerabilities and looks at them from a new angle to increase the effectiveness of social engineering attacks. In this regard, the thesis proposes an exploitation framework that exploits XSS to embed a customer chat support feature, tricking the user into believing it is a website feature. The chat features under the control of the attacker can be used to perform a variety of actions, like downloading malware or stealing personal information.
The solution was tested in practice and showed the high effectiveness of a phishing attack using XSS compared to a traditional phishing attack. According to the results, out of 100 phishing emails sent, 12% were opened, 7% of users considered the message reliable and responded to the authentication forms sending credentials. 2% of users entered into correspondence with the attack administrator and ended up running a malicious file transmitted through the interactive chat.