* (all names have been REDACTED for the safety of those involved)
In 2016, I had the pleasure of writing a blog post appropriately named “PranksGiving”. In this blog, I outlined my newly-found sense of paranoia in both the security and prank space. My hope is to continue this tradition and keep you apprised of some of the more clever pranks that have occurred since 2016, and how they relate to common threat types and vectors.
Beware of Mistaking a RAT (Remote Access Trojan) for a Mouse
A Remote Access Trojan, or RAT/Creepware, is a type of malware that provides a back door in order to gain administrative control over a machine. The malicious payload (oftentimes a Trojan Horse) is typically downloaded unbeknownst to the user, and allows the threat actor to do just about anything on the targeted machine including: distributing viruses and other malware, deleting or altering files and file systems, and accessing confidential information. Because there are some legitimate uses for similar programs, it can be challenging to detect this type of attack. A similar tactic was applied when REDACTED swapped malware for a wireless mouse into the victim (a coworker’s) laptop. This resulted in the victim not only questioning their sanity, but in the alteration of the victim’s wallpaper.
Takeaway: Be sure to keep your A/V software up to date and be sure to use caution when downloading programs or opening attachments that aren’t from a trusted source. Finally, be sure to block unused ports.
Be on the Lookout for an Evil Maid Attack
First of all, I have to take a second to recognize the infosec spaces’ ability to name threat actor groups and threat types. The “Evil Maid Attack” is no exception. This particular security exploit occurs when a threat actor physically targets an unattended machine. The attack itself is characterized by the attacker’s ability to physically access the victim multiple times without their knowledge. This exploit can be exceptionally applicable when it comes to pranking your desk-mate. For example, if your intended prank victim owns a digital frame, one could gain physical access to the USB containing the files displayed on said frame, and inject some new images/files.
Takeaway: Never accept a free USB drive…ever. Additionally, be sure to keep firmware up to date.
Know that Denial Ain’t Just a River
My apologies for using this cliche, but there is no better way to introduce the “oh so” common attack type: Denial-of-service. In this type of attack, threat actors aim to prevent legitimate users from accessing the service or network. Threat actors typically send several messages asking the server to accept requests from invalid return addresses by way of: flooding the network, disrupting communication, or preventing individuals from accessing a service. Denial-of-service can be confused with a Distributed-denial-of-service. In a DDoS attack, the incoming traffic flooding the victim originates from different sources, more on this later. In an open office environment, DoS-ing coworkers can be rather simple. The victim, in this case, chose to exit the open space to the comfort and quiet of a conference room for some heads down work. REDACTED took this opportunity to throw two screaming monkeys (a common giveaway at cybersecurity conferences) into the conference room, effectively rendering the victim distracted. If the attacker chose to use a Distributed-denial-of-service, REDACTED could enlist the help of their coworkers, who could all toss in a screaming monkey simultaneously.
Takeaway: Be certain to deploy an A/V program and firewall to restrict bandwidth usage to legitimate users and configure your server to help mitigate the risk and probability of being attacked.
Be Cautious of Picture Perfect Sessions
The final threat type we’ll be diving into today is Cookie Hijacking. This is the exploitation of a legitimate or valid session to gain unauthorized access to information or services in a computer system. This type of attack is particularly relevant to web developers because HTTP cookies are used to maintain a session can easily be stolen by an attacker. REDACTED employed a similar strategy in a recent office prank. The threat actor obtained legitimate family photos, and injected their co worker’s face via Photoshop into said photos.
Takeaway: Encrypt the data traffic passed between parties by using SSL/TLS.
I hope you found this blog post both educational, and mischievous. Be sure to monitor your belongings on this glorious holiday, and happy pranking!