Hacker's Challenge 3: Big Bait, Big Phish

Hacker's Challenge 3 David Pollino, Bill Pennington, Tony Bradley, Himanshu Dwivedi 400 pages; $49.99 McGraw-Hill Osborne Media

Monday, December 19, 2005, 09:17
Siamak was careful about unwarranted e-mails he received, even simple advertising schemes like the one shown in Figure C3-1, which was sitting in his inbox.

Siamak had his identity stolen once by someone who grabbed his mail while he was mountain climbing in Tibet. The person used that information to open up a few credit card accounts and create havoc for Siamak's records. Eventually Siamak cleared everything up with the credit companies, but after the fiasco he was paranoid about his personal information. Siamak wasn't likely to be conned by high-tech means, however, because he worked in technology himself and knew what types of risks were out there. He used a Mac, browsed the web using Firefox, and didn't install untrustworthy software.

Due to his competence and paranoia, Siamak wanted to make sure this e-mail was what it claimed to be. First he verified the e-mail headers as having come from ClimberCentral:

The e-mail was actually from the ClimberCentral domain. Siamak clicked the Log In link and watched his browser's URL address bar (Figure C3-2).

Not every e-mail he received was an attempt to ruin his life. Content with his investigations, Siamak proceeded to log in and look around the site.

Monday, December 19, 2005, 09:50
Rob stumbled in to work late. It was the holiday season and he'd forgotten to put in for vacation. As a result, he was stuck here in rainy Silicon Valley watching over ClimberCentral's operations while the rest of the ClimberCentral crew was enjoying Hawaii. At least Rob could party this week, with no one at the office noticing that he showed up to work with bloodshot eyes and smelling like stale booze.

"Good morning!" It was Llana; Rob tried to shrug off her attention and slip past her into his cube. Thank goodness for cubes.

"Hey, maybe you could find out what's going on with the gobi web server. Customer order e-mails aren't being sent out, and the thing's chugging under a big load," she added.

"Yeah, on it." Duh, Rob thought, as he plopped down and opened up a shell. Sure enough, so many e-mail messages were lined up in the queue that the whole server had ground to a halt. He ran a quick command to see what was going on:

The mass of marketing e-mails was choking the gobi server with an unexpected load. Rob assumed one of the developers was responsible, so he e-mailed the development team reminding them not to send marketing e-mails from the gobi web server. After he deleted the pending marketing e-mails and got the server up and running again, he relaxed by firing up the Slashdot website and downing some Tylenol.

Monday, December 19, 2005, 13:11
Llana averted her eyes when she entered Rob's cube to find him browsing suicidegirls.com.

"Hey, customer service is worried about some issue with tons of disputed false orders, and since Lex isn't in I suggested they direct the issue to you."

"Yeah," snorted Rob, "but have you heard of e-mail?"

Llana frowned. "I sent you the details, but this is kind of urgent so I wanted to make sure and see if you needed some help."

Rob mumbled something and didn't pay attention as Llana slunk away. Skimming the e-mail, he noticed a suspicious pattern with the "false" orders: they were all being delivered to the same P.O. box. He went to the database to find out more:

This didn't look good. Orders that were supposedly placed by different users were all coming from the same IP address and being sent to the same P.O. box in Alaska. It seemed clear that an attacker had either compromised the individual user accounts or somehow broken into the ClimberCentral system. Rob drew up an action plan:

1. Cancel all orders to P.O. Box 37452 in Bloomingdale, Alaska.
2. Notify public relations that the company's servers had been compromised, and have them contact affected customers.
3. Have Llana take down the website and put up an "under construction" page until they resolved the security hole.
4. Block the 253.102.200.3 IP address from accessing the network.
5. Begin the investigation process, probably by making backups and contacting Lex.

Monday, December 19, 2005, 14:35
Llana had enrolled a guy from marketing who knew a bit about Linux to help her make backups. Rob was still trying to reach Lex in Hawaii, to see if he knew how they should proceed.

The IP address 253.102.200.3 was the only information Rob had to act on. After getting bored of calling Lex's hotel to find out whether he'd come back from his hike yet, Rob decided to investigate ClimberCentral's access logs and see if he could find other useful information.

Continue reading about this challenge in Chapter 3: Big Bait, Big Phish of Hacker's Challenge 3.

Get the solution to this challenge.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Phishing Trojan downloaders, droppers skyrocket, Microsoft says New phishing, Zeus Trojan technique spreads crimeware New Storm attack exploits April Fool's Day Clinton, Obama campaigns used in spam blasts How secure is online banking today? Google-Postini email services deliver security market message PDF spam reemerges in some inboxes Researcher warns of new do-it-yourself phishing program Spam continues surge as spammers become clever in '07 How effective are phishing links that refer to FTP sites? Phishing Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary crimeware  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary