Tool Automates Phishing Attacks

Thursday, January 8, 2015 @ 03:01 PM gHale

Whether it is a manufacturing facility, an offshore oil production rig, or malware, it is all about automation.

That is just what is happening with some new open source malware that can go in and automate phishing attacks and target credentials for Wi-Fi networks.

Mobile Spy Program Target: Oil Industry
Surveillance Malware Hides as Legit Software
Details Emerge on Espionage Campaign
Updated Malware Boosts Espionage Tool

In most cases, attacks against networks protected with the WPA and WPA2 security protocols involve brute forcing. However, a tool developed by IT security engineer George Chatzisofroniou, called Wifiphisher, uses social engineering.

Wifiphisher works in three stages. In the first stage, victims end up deauthenticated from their access point with the aid of deauthentication packets sent to the broadcast address, from the client to the access point, and from the access point to the client.

In the second phase, the victim’s access point settings end up copied and a rogue access point sets up. Because the legitimate access point ends up jammed, clients will connect to the rogue access point. In this stage, the tool also sets up a NAT/DHCP server and forwards the right ports, Chatzisofroniou said.

In the final phase, a man-in-the-middle (MitM) attack launches using a minimal Web server that responds to HTTP and HTTPS requests, and victims end up presented with a fake router configuration page when they try to access a website. This configuration page informs users a firmware update is available for the device and instructs them to enter their WPA password.

Wifiphisher works on Kali Linux, the popular penetration testing distribution, and it requires two wireless network interfaces. One of these interfaces must be capable of injections, Chatzisofroniou said.

Researchers pointed out users end up notified by the operating system when their network configuration changes. Victims would have to ignore the warnings before connecting to the rogue access point and seeing the phishing page.

Leave a Reply

You must be logged in to post a comment.