- June 1, 2019
Security Education – By Dylan “The Magician” Baklor
Sharing a link is very often the best way to direct someone to a great article or a funny photograph but could clicking on a link or photograph be dangerous? It might surprise you if I said I could use a link to find your city, learn which browser you are using, what kind of device you viewed the link on, your operating system, or even disable your internet connection. I’ve sent many photographs to friends, family members, and fellow Ethical Hackers, to see if clicking a link (even from a trusted source) is still a common practice. Many opened my shared link without a second thought, and this was not an opportunity to embarrass but to educate and empower. Let me explain what can happen and how you can stay safe.
To reference Facebook Whitehat Report #10108158134200512: “Via social engineering it is possible to find targets interests via their wall. Utilizing Grabify IP Logger I can generate a logging exploit with a link to an image or website. Copying this link in the messenger input field I was able to get the application to display a link of a copy of the image which, when clicked on, logs the target WAN IP for future DOS attacks.”
This means if a bad actor wants to collect data on a specific person, they need to do is some quick reconnaissance of a social media page, as an example, an interest in muscle cars. I could use the tracking tool grabify.link to tie a web address of a Pontiac GTO image to a data logger and share that photo. If I can use some social influencing, like “click this photo for a super cool deal on this car, it’s in your city too!” I might be able to increase the chances a target may click on the link. Collecting information such as: a preferred browser, operating system, type of device, and especially the public IP address of a target enables a bad actor to write an attack that specifically will get past the safe guards of any network or device. To bring things into the physical world, if I know the placement of cameras in an art gallery, I might know how to sneak around them.
The next thing to think about is how to avoid this risk as much as possible. Listed immediately below are links to look out for:
Bit.ly, shorte.st, adf.ly, bc.vs, bit.do, soo.gd, 7.ly, goo.gl, grabify.link, just to list a few.
That’s not to say these are the only ones, just some common ones I’ve run across. The unfortunate truth though is some common message applications (in the case of the referenced White Hat report the Facebook Messenger application) do nothing to avoid this risk. My finding in the Messenger application was that I could entirely delete the web address after renaming a link or sharing a photograph so there would be no early warnings when clicking a link. To be completely safe the best way to locate something shared with you is to ask for more detail. Questions like, “where did you find this?” or, “I’d like to look this up, can you tell me what search query you used?” should not offend a trusted source of information. Personally, once I am linked to an article or photograph, I like to do my own research and find the information myself.
Further, many related malicious actions can be triggered with a link such as installation of malware like ransomware or a remote access trojan. Practice “Safe Surfing” and if someone avoids answering questions related to a shared link, odds are you are dealing with a compromised account most likely with someone other than the account owner.
-Dylan “The Magician” Baklor