Skip to main content

OkStupid and Plenty of Phish

It recently occurred to me that many of the classic "password recovery" questions, while personal in nature, are exactly the types of questions you would ask when attempting to better get to know someone -- such as in a dating context.  With this in mind, I decided to explore how online dating services could potentially be used to target victims and then subsequently get access to their online services by discovering the answer(s) to their password recovery questions.

How we built the bot

Went through quite a few considerations on how I wanted to approach this.  I eventually stumbled upon a site called PersonalityForge, which seems to be this entire geek sub-culture of people who have coded chat bots with the intent to make them as real as possible.  While nowhere near perfect, I did manage to find a "flirty" female chat bot that I hoped would do the trick.  I introduce to you, Amanda20...

How it works?

Using the Python mechanize library, I was able to use browsing emulation to "chat" with Amanda20 in one browser, and then login to a dating site and chat with my target victim on another browser.  The two emulated browsers allow them to talk to each other, in hopes that the victim would believe they were chatting with a real person.
The messages would be routed back and forth to facilitate the conversation, and then certain pieces of information would be swapped using string substitution, and recovery questions would be periodically injected into the conversation.

And the results???

Some caught on...
Some became amusingly hostile...
Some were even bots themselves (though less sophisticated)...
But mostly, it just worked...




Or the live version if you are up for some brief entertainment...

Targeted Attacks

This probably doesn't seem as concerning, as people are anonymous on dating sites.  And if I don't know who you are, then I can't break into you online services, right?  But with some clever Google dorking and reverse image searches, we can quickly identify who people are in cases of username or photo reuse.  We were even able to find and target victims of specific companies.
But if that doesn't work...just program the bot to ask.  In addition to their recovery questions, apparently people are more than willing to tell you who they work for too.

Proof of Concept Code

Below is the github repository with the proof-of-concept code.  Because this was just a quick proof-of-concept to demonstrate the potential risk, the code is admittedly not well documented/commented, and I have no intention of supporting it.  But please feel free to reference if interested.


Comments

Popular posts from this blog

Another "Fappening" on the Horizon?

So in case you aren't fully up-to-speed on useless hacker trivia, "The Fappening" (also sometimes referred to as "Celebgate") was a series of targeted end-user cyber attacks which occurred back in 2014 (which strangely feels like forever in tech years), that resulted in unauthorized access to the iCloud accounts of several prominent celebrity figures.  Following these breaches, photographs (for many including personal sexually explicit or nude photos) of the celebrities were then publicly released online.  Most evidence points to the attack vector being spear phishing email attacks which directed the victims to a fake icloud login site, and then collected the victim's credentials to subsequently access their real icloud accounts.

Migration to MFA In response to these events, Apple has made iCloud one of the very few social web services that implements compulsory MFA ("Multi-Factor Authentication").  But while they might be ahead of the industry in…

Bypassing CAPTCHA with Visually-Impaired Robots

As many of you have probably noticed, we rely heavily on bot automation for a lot of the testing that we do at Sociosploit.  And occasionally, we run into sites that leverage CAPTCHA ("Completely Automated Public Turing Test To Tell Computers and Humans Apart") controls to prevent bot automation.   Even if you aren't familiar with the name, you've likely encountered these before.
While there are some other vendors who develop CAPTCHAs, Google is currently the leader in CAPTCHA technology.  They currently support 2 products (reCAPTCHA v2 and v3).  As v3 natively only functions as a detective control, I focused my efforts more on identifying ways to possibly bypass reCAPTCHA v2 (which functions more as a preventative control).
How reCAPTCHA v2 WorksreCAPTCHA v2 starts with a simple checkbox, and evaluates the behavior of the user when clicking it.  While I haven't dissected the underlying operations, I assume this part of the test likely makes determinations about t…

Twitter Remote Access Trojan (Twittersploit)

Developed a malware sample that leverages Twitter direct messaging as a channel for command and control.
Web Service Command and Control Have recently been structuring a lot of my penetration testing efforts around the MITRE ATT&CK framework. One technique that specifically caught my attention while doing an assessment based on the Command & Control (C&C) section was the T1102 - Web Service C&C technique. It references multiple malware samples that leveraged Twitter as a C&C channel. These samples included: CozyCarHAMMERTOSSMiniDukeOnionDuke This technique proved to be uniquely effective for a few reasons: Traditional C&C Channels Blocked - Many organizations are now taking a (quasi) white-listing approach to URL filtering (i.e. blocking unclassified site categories), thereby blocking hastily established C&C channels over HTTP(S)Web Service Availability - More and more organizations are opening up corporate infrastructure to social media web services (such as…