As part of our Information Security week we were asked to create a potential social engineering attack plan. Here’s mine based upon a researched template. What do you think??
“WORDPRESS ECOSYSTEM HACK”
The WordPress ecosystem is known to have security vunerabilities, (Link: https://www.freecodecamp.org/news/wordpress-vulnerabilities-you-need-to-know-about-and-how-to-fix-them-497a2d8b2c3e/), mainly due to users not updating to the latest version of WordPress. Brute force attacks are also known to be successful in gaining backend access and website control. This indirect attack though centres on hacking the plugin ecosystem associated with WordPress in an attempt to gain financial credentials and transfer money to the control of the SE.
The SE will develop first, a reputable profile as a developer, (a WordPress plugin author), or if speed is of the essence, approach other reputable authors to release a plugin (or an update of a current plugin) that contains malware. The plugin will be targeted indirectly at all WooCommerce users with WordPress. There are almost 3 million websites using WooCommerce to sell online. The plugin may help a shop page display more pricing information such as estimated tax (this would require more valuable victim information). For this the user (or mark) must enter the financial details.
The malware will sit dormant until a targeted threshold of users is reached, before being activated and the SE attempts to withdraw money at the same time from all accounts. Another option is that they are taken to an external site to pay for a premium version of the plugin or for a feature of the plugin. This external site could obfuscate its true identity and imitate something like a PayPal or Stripe page and take an incorrect, large volume of money from the victim instead of the advertised $29.99.
The important features of the SEA are specified below:
Communication –The SEA is using indirect communication.
Social Engineer –The SE is an individual.
Target –The target is a group of individuals.
Medium –The communication medium is via a web platform WordPress.
Goal –The goal of the attack is money illegally transferred.
Compliance Principles – platform trust and security, author reputation history.
Techniques –The technique that is used is obfuscation.
STEP 1 – ATTACK FORMULATION
- Goal identification. The goal of the attack is to get an individual to transfer money to the attacker.
- Target identification.The target of the attack is all individuals in the group who are using the specific malware laden WordPress plugin.
STEP 2 – INFORMATION GATHERING
- Identify potential sources: The information sources include any information about the Woocommerce community, the authors of Woocommerce, WordPress based plugins and the policies of the platform.
- Gather information from sources: Gather from all the above-mentioned sources information that relates directly to the individuals’ personal information and any information regarding typical payments to pro plugin versions.
- Assess gathered information: Determine whether all the required information to determine what determines authenticity in this ecosystem. Also, assess if enough information has been gathered to correctly duplicate the payment screen for the plugin upgrade.
STEP 3 – PREPARATION
- Combination and analysis of gathered information: Develop a combined personality profile based on all the in-formation gathered from the individuals and determine what features convey authenticity of plugin authorship to individuals. Also, develop a mock-up of how the payment screen should look, so that the replicated screen looks familiar to the individuals when they are required to enter their payment credentials during the attack.
- Development of an attack vector: Develop an attack plan that details the formulation of a post on which most of the individuals will click, based on their personality profile. In this template, the attacker is also required to develop a payment screen that is very similar to the industry standards, and that is able to capture the falsely high payment credentials when individuals attempt to pay. Once an individual has fallen prey to the attack, each target that has been compromised by the malicious plugin will be forced – unbeknown to the target – to transfer a much higher value sum to the plugin author.
STEP 4 – DEVELOP RELATIONSHIP
- Establishment of communication: This involves the physical action of creating and publishing the malicious plugin on the WordPress Ecosystem.
- Rapport building : Communication on the WordPress plugin ecosystem is is based on quality reviews and follow up comments. The “rapport building” step is mostly performed as a continuous process because individuals trust people with whom they have witnessed regular contact and community engagement. In this example, the plugin by the attacker should be enticing enough for any of the targets to click on it, install it, without having gained a lot of trust in the attacker.
STEP 5 – EXPLOIT THE RELATIONSHIP
- Priming the target: On the WordPress platform, the target is almost already primed to be looking for new WooCommerce plugins to give their online shop an edge. Individuals usually tend to read social media to find out about new interesting plugins or discover them internally on the platform as trending. In the plugin that is released, documentation is provided to encourage the user to upgrade to the premium, paid version.
- Elicitation: The plugin will work as advertised so that suspicions are not initially aroused. The promise of the upgraded features available will encourage them to enter the credit card details. The attack is not initially noticeable as the first payment/transfer is as advertised. It’s the further withdrawals that are the unstoppable automated attack. It is key that the plugin feature requires significant setup time so that the victims expectations are dampened, thus providing more time to attack others before suspicions are aroused.
STEP 6 – DEBRIEF
- Maintenance: In this template, the maintenance of rapport occurs with continued usage of the plugin.
- Transition: The attacker was able to successfully gain unauthorised payment details from the target and can thus proceed to the “goal satisfaction” step.
- Goal satisfaction: The SE has attained his/her initial goal of unauthorised payments.