SSL hacking and invisible hacking




Posts: 2

Joined: Fri Mar 02, 2012 2:03 pm

Post Fri Mar 02, 2012 2:40 pm

SSL hacking and invisible hacking

I am not sure if I am posting to the right place. Please correct me if I am wrong.
We want to hire some professional to assess the vulnerability of our current web site.

We need to prove or disprove the following possibilities:

1. Our competitor is diverting all our new customer's email to themselves by intercepting their message sent from our web form.

2. In order for their operation to be successful they must keep me from detecting or knowing such an attack is taking place.

3. They can do so (keep this entire operation stealth) by detecting the user's ip and other rules for them to differentiate between genuine new customer and our anti-hacker engineer. such as:

1. Only intercept and redirect their email if they are from our Google Adwords account.
2. Must from a local ip.
3. Do not intercept those on my address book and those in their address book.
So that all my friends will tell me my site is not under attack.
4. Fake our SSL certificate.

Even though we are using SSL certificate, we are still not getting email from our web form while our web log clearly shows that these people been to our contact-us page.

May be I am being paranoid. But I need to prove or disprove the possibility. I need someone to replicate this situation and tell me it is possible for someone to hire a hacker to accomplish such while keeping me completely unaware.

Thank you


User avatar

Sr. Member
Sr. Member

Posts: 379

Joined: Tue Dec 30, 2008 1:53 pm

Post Fri Mar 02, 2012 3:32 pm

Re: SSL hacking and invisible hacking

Maybe I'm missing something.....but couldn't you just go create a free Gmail account and try to send an email through your contact page?

...And just because the email doesn't go through, that doesn't mean a competitor is redirecting the email. I think the "KISS" principal probably applies here.

eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+



Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Mar 02, 2012 3:45 pm

Re: SSL hacking and invisible hacking

Do you have any evidence that people are actually completing the form after visiting the contact page? What you're describing is an extremely unlikely scenario.

You might want to dive back into the logs and/or do some packet captures to get a better idea of what's going on. You can review the code (or verify the checksum against a known clean version of the page if compiled) to see if anyone has added that extra logic you're describing.

If everything looks good on the web server, there may be an issue on an intermediary server, such as email server.

SSL is only going to encrypt the information in transit (assuming you use it everywhere -- you're only getting partial protection if you do something like accept an HTTPS post and then blast it out via SMTP); it doesn't magically protect you against the other myriad attacks in existence. You shouldn't assume your web app is secure simply because you installed an SSL cert.

Edit: +1 Ziggy
The day you stop learning is the day you start becoming obsolete.



Posts: 2

Joined: Fri Mar 02, 2012 2:03 pm

Post Mon Mar 05, 2012 4:33 am

Re: SSL hacking and invisible hacking

Thank you all for your reply.

Let image you are the attacker. The worst thing you want is for me to find out you're attacking me. The mentality of the attacker is to be stealthy.

If you are intercepting the email messages sent from our web form and diverting the messages to yourselves. How are you going to prevent me from knowing it?

With my limited knowledge I can think of detecting IP. By knowing my ip your scrip can allow me to send a test message without blocking / intercepting me. So that I would be fooled to think everything is OK.

Of course another way for your hacker program to distinguish between a genuine new potential client and our anti-hacker team is to detect where are they from.

If the referring link is from our Google Adwords then likely it's a genuine new potential client.

If the referring link is from nowhere then likely it's a anti-hacker engineer and you don't want the anti-hacker engineer to know this attack is taking place.

These are just 2 of my most superficial rules in an enormous rule-base for your webform-intercepting-script to stay stealth.

As you know in order for this attack to stay stealth it would require a lot more sophisticated rules than these 2.

Because our anti-hacker team won't be so stupid to test our site from nowhere, of course they would pretend they are a genuine customer by clicking our Google Adwords.

We only run our Adwords locally. So you don't want your script to intercept visitors from a foreign ip.

I can pop into any local hotel, bar, or any other easily accessible Internet terminal to send myself a beautifully drafted test message from our web form.

So your script must know all the ips of local hotels, internet cafe, etc, and take them into account in its rule-base.

I can ask my friends to run a test from their office computer. So your script must know who my friends are. You have to implement a Trojan horse into my cell phone to do so. Your also need to hack my friends cell phone to know who their friends are. Worm may come to mind. So that your script won't intercept their messages.

With my limited knowledge and experience I can only think of these rules. There are probably other holes missing.

Your script must be invisible in a normal FTP client if you decide to hack our hosting server .

What makes me think this attack is happening? Because it is not logical to receive 3 new contacts in one day then zero for five days.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software