When a Web application improperly redirects a user’s browser from a page on a trusted domain to a bogus domain without the user’s consent, it’s called Web Jacking. Web Jacking attack method is another type of social engineering attack method called Phishing attack, often used to steal user data, including login credentials and credit card numbers. When an attacker impersonating an object, cheats the victim by opening an email, instant message, or text message. The recipient is then tricked into clicking on a malicious link, leading to a malware installation, program freezing as part of a ransomware attack, or exposure to sensitive information.
Attacks can have serious consequences. For individuals, this includes unauthorized purchases, money laundering, or identity theft. Also, identity theft is often used to gain corporate or government networks as part of a larger attack, such as an Advanced Persistent Threat (APT). In the latter case, employees are compromised to go through security perimeters, distribute malware within a closed area, or gain access to secure data. An organization defeated by these attacks often supports greater financial losses in addition to declining market share, reputation, and consumer confidence. Broadly speaking, a criminal attempt to steal sensitive information can escalate into a security incident where the business will have a difficult time recovering.
The setup for the attack is simple:
1. A hacker registers a free domain name that is the same as the domain of a web application. Using a generic attack vector, the attacker sets up the real site to be malicious and lies about the domain name of the real site.
2. The attacker sends a request to the legitimate web application using the domain of the malicious site. The request for authentic information from the victim (e.g., a user account) causes the web application to sign the user out. The attacker uses the user’s user name and password to log in as the victim.
3. The attacker can now use the victim’s user name and password to log in as the victim. If the attacker uses the name and password for the victim’s account, they can access any information from the victim’s account on the legitimate website. The attacker can now send an authentication request with the victim’s real name and password to its legitimate website. The victim’s account will only accept this request if the user name and password match the attackers.
4. The attacker signs up for a free domain name that contains one or more numbers or special characters. Using the official domain name of the site as the source of the registration, the attacker registers an account at a hosting service or cloud storage site. Using this account, the attacker posts a malicious script to the host site that contains the malicious user name and/or password. The script performs a malicious action on behalf of the victim.
5. The attackers often use malicious scripts that work with popular cloud storage sites such as DropBox or Google Drive. After the malicious script is uploaded to the hosting service or cloud storage site, the malicious user name and/or password are displayed on the account page.
6. The user is directed to a login page hosted on the hosting service or cloud storage site. The user is then asked to enter his or her own user name and/or password. The user is then shown a fake login form that uses the user name and password for the malicious site. If the user is tricked into entering the fake login form, the host site or the cloud storage site is logged out of the account. This means that the user’s legitimate account is logged out of his or her account as well.
7. The attacker is now able to log into the victim’s account. This is because the victim’s account was logged out when the user visited the login page. The attacker can now use the victim’s legitimate account to download any file the victim has on the host server or cloud storage site. The attacker can also delete any files stored on the cloud storage site, and users are never alerted to the incident.
Step 1: To use the web jacking attack method, we will use a tool in kali Linux called setoolkit.
Step 2: Open your kali Linux system, then open the Terminal window.
Step 3: Type a deadly setoolkit.
Step 4: It will show many ways to attack, but you will have to choose a Social-engineering attack.
Step 5: Type 1 to choose a Social-engineering attack. It will show multiple methods of engineering attack. Here, you have to select a vector to attack the website, so type 2 will show different ways to attack it.
The above methods will create a fake webpage similar to the victim’s web page and host it on your computer.
Step 6: Copy the link (IP of your computer that you previously installed) to the fake website and send it to the victim. If the link is your home IP address, then change it to a domain name. To convert your IP address to a domain name, open the link and type your computer’s IP address here. It will create a link. Now, your link is ready to copy and send to the victim, then wait until they enter their details.
Step 7: When the victim opens a link in their browser, the browser displays the message “help www.abc.com move to another address, click here to go to a new location,” and click this link, they will find it redirected to a fake webpage.
Users who receive emails with phishing links should always check the URL first by typing the URL in the address bar rather than clicking the link. If the URL does not match the expected website, the user should not click on the link and should also not click on any suspicious links in emails. Users should also avoid clicking on links sent in emails with an embedded image or if the sender starts with a link that looks like a typical URL.
The purpose of this Web Jacking is to damage someone’s reputation or to take away a ransom from the real owner. It is a very interesting method that tries to deceive the user that the web page is real, but in reality, it is a fake page, and then by clicking on the victim, they get all the information of the victim.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.