Link spoofing is a type of attack in which the victim is offered one link, but it switches to a completely different one.
Why do they replace the link?
Deanonymization and data collection. The most popular method of deanonymization through instant messengers is sending a link, opening it will lead to an attacker receiving data about the victim. This is not necessarily just getting an IP address, as you already know from the course, you can use the link to find out whether there are social media accounts, which sites the victim visits, and much more.
Even if the victim uses a VPN and hides their real IP address, there are dozens of ways to de-anonymize VPN users, such as matching connections or sending a fake request to the VPN provider asking them to give up your data.
Infection
Infecting a victim by simply opening the site is not a very common attack, as it requires the attacker to use zero-day vulnerabilities. sometimes several such vulnerabilities are needed. For example, if you are an attacker and you have two vulnerabilities for the Chrome browser and for Windows, what is the guarantee that the victim will not have Safari and macOS?
Of course, you can initially conduct an exploration, for which you can use the same link substitution, but this is a separate story. In any case, state-level hackers or companies that sell solutions to States have zero-day vulnerabilities that can compromise the victim's device when they simply open the site, but they are unlikely to be found in a script kiddy or an average hacker.
Sometimes attackers exploit known vulnerabilities, but in this case the victim should not have browser updates or other vulnerable components installed, such as Flash.
Much more often, attackers try to force the user to infect themselves on their own. For example, you can download and open a file or install the necessary browser extension. Probably, 99.9% of attackers act this way, because the head on their shoulders was, is and will be the best antivirus.
Data theft
In this attack, the victim is directed to a fake site that looks indistinguishable from the original, where they must enter their data. This is usually a copy of a popular site: a social network, an online Bank, an email service, or a Dating site. Even the domain doesn't visually differ for high-class attackers.
But no matter how effective the attack is, no matter how high-quality the phishing domain is, and no matter how powerful the detractor is, they need the victim to open the link.
How do I get the victim to open this link? Social engineering comes to the rescue (skills to encourage the victim to do something) and link substitution. This feature is available in various messengers, even in our recommended Telegram and Jabber.
How does link substitution work in messenger?
Jabber Jabber Has a lot of clients, I'll show you with the example of Pidgin. To perform this attack, you need to start a dialog with the victim, then click Insert and select Link, which is intended for sending links to the user.
The link item Has two lines:
1. URL - here we insert a link to our trap site (where the victim will actually end up)
2. Description - here we write the address of the bait site (where the victim will expect to get to)
After adding the link, click Insert.
As a result, we received a completely harmless-looking link, under the mask of which the address to our trap site is hidden, where the victim will end up.
Professionals, when using link substitution to deanonymize or collect information, usually conduct this attack very gracefully: the victim first gets to the trap site, where he leaves information about himself, and then quickly moves to the bait site, where he planned to get. As a result, the data ends up in the hands of intruders, and the victim will never know when or how it happened.
Telegram
In Telegram, it is a bit more difficult to work, as the user will be shown the full link to where they should go before clicking through. Here, it is especially important to use a domain name that is as similar as possible.
Usually, the work is carried out as follows: a well-known site is taken and a similar domain is registered. For example, we will simulate the website of the one-time notes service Privnote and register the fake in another domain zone, for example privnote.co.
Website privnote.co setting up redirection of all requests to the original site privnote.com without collecting any information other than the links we set – the ones that will be used for the attack. Let our goal be to get information about the victim, and to do this, we will deploy scripts on our site to collect the following data:
When creating a message to the victim, we add the original link, then select it and click Formatting > add link.
When editing, we add a link to the trap site.
When you open such a link, the victim will first get to the trap site, where he will leave all the data we need. Then, in a matter of fractions of a second, it will be redirected to the real Privnote site with a real note and, most likely, will not even suspect anything amiss.
How to protect yourself from link spoofing
The only effective defense against this attack is your attentiveness. Keep in mind the possibility of spoofing links and check the real addresses that you are going to.
Why do they replace the link?
Deanonymization and data collection. The most popular method of deanonymization through instant messengers is sending a link, opening it will lead to an attacker receiving data about the victim. This is not necessarily just getting an IP address, as you already know from the course, you can use the link to find out whether there are social media accounts, which sites the victim visits, and much more.
Even if the victim uses a VPN and hides their real IP address, there are dozens of ways to de-anonymize VPN users, such as matching connections or sending a fake request to the VPN provider asking them to give up your data.
Infection
Infecting a victim by simply opening the site is not a very common attack, as it requires the attacker to use zero-day vulnerabilities. sometimes several such vulnerabilities are needed. For example, if you are an attacker and you have two vulnerabilities for the Chrome browser and for Windows, what is the guarantee that the victim will not have Safari and macOS?
Of course, you can initially conduct an exploration, for which you can use the same link substitution, but this is a separate story. In any case, state-level hackers or companies that sell solutions to States have zero-day vulnerabilities that can compromise the victim's device when they simply open the site, but they are unlikely to be found in a script kiddy or an average hacker.
Sometimes attackers exploit known vulnerabilities, but in this case the victim should not have browser updates or other vulnerable components installed, such as Flash.
Much more often, attackers try to force the user to infect themselves on their own. For example, you can download and open a file or install the necessary browser extension. Probably, 99.9% of attackers act this way, because the head on their shoulders was, is and will be the best antivirus.
Data theft
In this attack, the victim is directed to a fake site that looks indistinguishable from the original, where they must enter their data. This is usually a copy of a popular site: a social network, an online Bank, an email service, or a Dating site. Even the domain doesn't visually differ for high-class attackers.
But no matter how effective the attack is, no matter how high-quality the phishing domain is, and no matter how powerful the detractor is, they need the victim to open the link.
How do I get the victim to open this link? Social engineering comes to the rescue (skills to encourage the victim to do something) and link substitution. This feature is available in various messengers, even in our recommended Telegram and Jabber.
How does link substitution work in messenger?
Jabber Jabber Has a lot of clients, I'll show you with the example of Pidgin. To perform this attack, you need to start a dialog with the victim, then click Insert and select Link, which is intended for sending links to the user.
The link item Has two lines:
1. URL - here we insert a link to our trap site (where the victim will actually end up)
2. Description - here we write the address of the bait site (where the victim will expect to get to)
After adding the link, click Insert.
As a result, we received a completely harmless-looking link, under the mask of which the address to our trap site is hidden, where the victim will end up.
Professionals, when using link substitution to deanonymize or collect information, usually conduct this attack very gracefully: the victim first gets to the trap site, where he leaves information about himself, and then quickly moves to the bait site, where he planned to get. As a result, the data ends up in the hands of intruders, and the victim will never know when or how it happened.
Telegram
In Telegram, it is a bit more difficult to work, as the user will be shown the full link to where they should go before clicking through. Here, it is especially important to use a domain name that is as similar as possible.
Usually, the work is carried out as follows: a well-known site is taken and a similar domain is registered. For example, we will simulate the website of the one-time notes service Privnote and register the fake in another domain zone, for example privnote.co.
Website privnote.co setting up redirection of all requests to the original site privnote.com without collecting any information other than the links we set – the ones that will be used for the attack. Let our goal be to get information about the victim, and to do this, we will deploy scripts on our site to collect the following data:
- IP address,
- User agent,
- browser fingerprints,
- social networks where the victim is logged in.
When creating a message to the victim, we add the original link, then select it and click Formatting > add link.
When editing, we add a link to the trap site.
When you open such a link, the victim will first get to the trap site, where he will leave all the data we need. Then, in a matter of fractions of a second, it will be redirected to the real Privnote site with a real note and, most likely, will not even suspect anything amiss.
How to protect yourself from link spoofing
The only effective defense against this attack is your attentiveness. Keep in mind the possibility of spoofing links and check the real addresses that you are going to.
