Advanced phishing attacks on social networks

Source: Internet
Author: User

 

Some time ago, I have been writing popular science articles related to tool parties and Big Data hackers. Today I want to change my taste. Let's take a look at some of the "thrilling" attack methods in front-end attacks.

Today, I only talk about advanced phishing.

If you are deeply aware of this type of phishing attack, it is estimated that we will talk about it in the future. This time, I am not familiar with too many texts, but simply say that this attack method is almost blank in front of the masses, so after reading this article, many people will continue to suffer: "I won't do anything about it." I usually put some in-depth explanations on some internal security training, if you plan to write a paper, it will be wonderful.

Let's think about it. In Social Networks (weibo is also a social network with social attributes), are we used to many style elements dedicated to this social network, for example, the beautiful login page, setting page, changing password page, pop-up layer, chat box, and message sending interface are used every day, when a new function similar to the style appears (for example, the pop-up layer indicating "password exception, password change"), it does not doubt that it is a new friendly feature ......

This can be forged for JavaScript, and it can be forged by a super YD, and the amount of code is not much. Why? Thanks to the great front-end engineers who encapsulated a lot of Super convenient interfaces :)

As long as an XSS (cross-site scripting attack) is used, arbitrary JavaScript code can be introduced. Ghosts generally forge a seemingly fake interface and catch the desired key data. In fact, in real advanced attacks, if you don't want to catch fish, more interaction means more attack complexity, A piece of JavaScript may use some Hacking techniques to obtain data such as plaintext passwords and private data.

In social networks, good user experience is the first element. For attackers, attacks also focus on user experience. Even if there is no XSS, attacks can be completed. Think about how to disguise the interface? Only XSS attacks are more original (I often say the original attack method ).

In addition to the native UI, the original ecology can also have related JS library interfaces, such as a joke about weibo.com. You can use the Chrome browser to log on to your microblog, press f12 to open "Developer Tools", copy the following code on the Console, and press enter to execute:

STK. core. io. ajax ({method: 'post', url: '/aj/message/add', args: {text: document. cookie. substr (0,300), screen_name: '% E4 % BD % 99% E5 % BC % A6 ′}})

With such concise code, it would be easier for attackers to exploit it: D

Phishing is nothing more than spoofing. The advanced phishing attacks using XSS on social networks are really difficult to defend against. I have proposed this attack for a long time and I feel that it is becoming popular, this is why the "artist hacker" is often mentioned in the past two years. In order to survive, the hacker began to become more complex and began to contact the artist. The goal of the artist was visual deception.

Finally, we should be more vigilant and less likely to leak data ......

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.