Hacker's Challenge 3: Big Bait, Big Phish

In this excerpt of Chapter 3 from "Hacker's Challenge 3," author Bill Pennington provides a detailed example of a situation in which an organization's network is attacked and customer data is compromised.

Hacker's Challenge 3

David Pollino, Bill Pennington, Tony Bradley, Himanshu Dwivedi

400 pages; $49.99

McGraw-Hill Osborne Media


In this excerpt from Chapter 3 of Hacker's Challenge 3, author Bill Pennington provides a detailed example of a situation in which an organization's network is attacked and customer data is compromised. After the excerpt, continue reading the rest of the chapter and then get the solution to this challenge.
Industry:     E-commerce
Attack Complexity:     Medium
Prevention Complexity:     Hard
Mitigation Complexity:     Hard

Monday, December 19, 2005, 09:17
Siamak was careful about unwarranted e-mails he received, even simple advertising schemes like the one shown in Figure C3-1, which was sitting in his inbox.

Siamak had his identity stolen once by someone who grabbed his mail while he was mountain climbing in Tibet. The person used that information to open up a few credit card accounts and create havoc for Siamak's records. Eventually Siamak cleared everything up with the credit companies, but after the fiasco he was paranoid about his personal information. Siamak wasn't likely to be conned by high-tech means, however, because he worked in technology himself and knew what types of risks were out there. He used a Mac, browsed the web using Firefox, and didn't install untrustworthy software.

Due to his competence and paranoia, Siamak wanted to make sure this e-mail was what it claimed to be. First he verified the e-mail headers as having come from ClimberCentral:

X-Gmail-Received: 68db19b59b39cbe1db718b22dbf6bd5d6c8a29d2
Delivered-To: siamak@gmail.com
Received: by 10.54.104.14 with SMTP id b14cs44461wrc;
        Mon, 19 Dec 2005 05:27:10 -0800 (PST)
Received: by 10.36.227.70 with SMTP id z70mr396581nzg;
        Mon, 19 Dec 2005 05:27:10 -0800 (PST)
Return-Path:
Received: from camp7.sjc.climbercentral.com (camppool07.climbercentral.com [222.33.244.106])
        by mx.gmail.com with ESMTP id c12si583418nzc.2005.12.23.13.27.10;         Fri, 19 Dec 2005 05:27:10 -0800 (PST)
Received-SPF: pass (gmail.com: domain of support@climbercentral.com designates 222.33.244.106 as permitted sender)
Received: from [10.112.159.30] (dingdong-1.sjc.climbercentral.com [10.112.160.30])
        by camp7.sjc.climbercentral.com (8.12.3/8.12.3)
with ESMTP id jBNLLwZp015175
        for ; Mon, 19 Dec 2005 05:27:09 -0800
From: "ClimberCentral"
Reply-to: support@climbercentral.com
To: siamak@gmail.com
Subject: Great ClimberCentral Deal!!
Date: Mon, 19 Dec 2005 05:27:08 -0800
Message-ID:
X-Mailer: Kana Connect 6
Mime-Version: 1.0
Content-Type: text/html;

The e-mail was actually from the ClimberCentral domain. Siamak clicked the Log In link and watched his browser's URL address bar (Figure C3-2).

Not every e-mail he received was an attempt to ruin his life. Content with his investigations, Siamak proceeded to log in and look around the site.

Monday, December 19, 2005, 09:50
Rob stumbled in to work late. It was the holiday season and he'd forgotten to put in for vacation. As a result, he was stuck here in rainy Silicon Valley watching over ClimberCentral's operations while the rest of the ClimberCentral crew was enjoying Hawaii. At least Rob could party this week, with no one at the office noticing that he showed up to work with bloodshot eyes and smelling like stale booze.

"Good morning!" It was Llana; Rob tried to shrug off her attention and slip past her into his cube. Thank goodness for cubes.

"Hey, maybe you could find out what's going on with the gobi web server. Customer order e-mails aren't being sent out, and the thing's chugging under a big load," she added.

"Yeah, on it." Duh, Rob thought, as he plopped down and opened up a shell. Sure enough, so many e-mail messages were lined up in the queue that the whole server had ground to a halt. He ran a quick command to see what was going on:

root@gobi:/# cd /var/spool/exim4/input/ && grep 'Subject:' *-H 1Ehjql-0005Zc-KB-H:016 Subject: Great ClimberCentral Deal!! 1EiHLr-0006Bo-51-H:016 Subject: Great ClimberCentral Deal!! 1EjVSZ-0007KO-Ci-H:016 Subject: Great ClimberCentral Deal!! 1EjVeu-0007Lg-4Q-H:016 Subject: Great ClimberCentral Deal!! 1EkFRT-0002a3-3D-H:016 Subject: Great ClimberCentral Deal!! 1En7Uk-0006Oo-73-H:016 Subject: Great ClimberCentral Deal!! 1En7iI-0006Sc-0I-H:016 Subject: Great ClimberCentral Deal!! 1EoAzW-0005gZ-64-H:016 Subject: Great ClimberCentral Deal!! 1EoBAq-0005hF-Vq-H:016 Subject: Great ClimberCentral Deal!! 1EoFag-0007MJ-Ma-H:016 Subject: Great ClimberCentral Deal!! 1Epeg9-0000CR-K7-H:016 Subject: Great ClimberCentral Deal!!

The mass of marketing e-mails was choking the gobi server with an unexpected load. Rob assumed one of the developers was responsible, so he e-mailed the development team reminding them not to send marketing e-mails from the gobi web server. After he deleted the pending marketing e-mails and got the server up and running again, he relaxed by firing up the Slashdot website and downing some Tylenol.

Monday, December 19, 2005, 13:11
Llana averted her eyes when she entered Rob's cube to find him browsing suicidegirls.com.

"Hey, customer service is worried about some issue with tons of disputed false orders, and since Lex isn't in I suggested they direct the issue to you."

"Yeah," snorted Rob, "but have you heard of e-mail?"

Llana frowned. "I sent you the details, but this is kind of urgent so I wanted to make sure and see if you needed some help."

Rob mumbled something and didn't pay attention as Llana slunk away. Skimming the e-mail, he noticed a suspicious pattern with the "false" orders: they were all being delivered to the same P.O. box. He went to the database to find out more:

SELECT FROM_UNIXTIME(timestamp), address, charge, user_log FROM orders WHERE address LIKE '%Box 37452%'; 2005-12-19 08:26:49, P.O. Box 37452 Bloomingdale Alaska, 36.50, tom_erik IP 253.102.200.3 2005-12-19 08:00:44, P.O. Box 37452 Bloomingdale Alaska, 36.50, kr15m1ll3r IP 253.102.200.3 2005-12-19 08:02:15, P.O. Box 37452 Bloomingdale Alaska, 36.50, mrmann IP 253.102.200.3 2005-12-19 09:32:05, P.O. Box 37452 Bloomingdale Alaska, 36.50, chucknboo IP 253.102.200.3 2005-12-19 08:21:50, P.O. Box 37452 Bloomingdale Alaska, 36.50, m1k3k1ng IP 253.102.200.3 2005-12-19 08:11:34, P.O. Box 37452 Bloomingdale Alaska, 36.50, robin0 IP 253.102.200.3 2005-12-19 08:11:45, P.O. Box 37452 Bloomingdale Alaska, 36.50, timtimmy IP 253.102.200.3 2005-12-19 08:50:03, P.O. Box 37452 Bloomingdale Alaska, 36.50, a234machado IP 253.102.200.3 2005-12-19 08:39:12, P.O. Box 37452 Bloomingdale Alaska, 36.50, frank_mcgee IP 253.102.200.3 2005-12-19 08:58:02, P.O. Box 37452 Bloomingdale Alaska, 36.50, lorelei IP 253.102.200.3 2005-12-19 09:22:44, P.O. Box 37452 Bloomingdale Alaska, 36.50, siamak_p IP 253.102.200.3

This didn't look good. Orders that were supposedly placed by different users were all coming from the same IP address and being sent to the same P.O. box in Alaska. It seemed clear that an attacker had either compromised the individual user accounts or somehow broken into the ClimberCentral system. Rob drew up an action plan:

  1. Cancel all orders to P.O. Box 37452 in Bloomingdale, Alaska.
  2. Notify public relations that the company's servers had been compromised, and have them contact affected customers.
  3. Have Llana take down the website and put up an "under construction" page until they resolved the security hole.
  4. Block the 253.102.200.3 IP address from accessing the network.
  5. Begin the investigation process, probably by making backups and contacting Lex.

Monday, December 19, 2005, 14:35
Llana had enrolled a guy from marketing who knew a bit about Linux to help her make backups. Rob was still trying to reach Lex in Hawaii, to see if he knew how they should proceed.

The IP address 253.102.200.3 was the only information Rob had to act on. After getting bored of calling Lex's hotel to find out whether he'd come back from his hike yet, Rob decided to investigate ClimberCentral's access logs and see if he could find other useful information.

Continue reading about this challenge in Chapter 3: Big Bait, Big Phish of Hacker's Challenge 3.

Get the solution to this challenge.

This was first published in May 2006

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close