Orchidseven Official Blog

Engineering Defense

Dangers of Live Chat Customer Support – Defacing a website

leave a comment »

  1. Introduction
  2. Live chat
  3. Doing your homework
  4. What goes behind customer support?
  5. Case Study – Executing the hack
  6. What not to do on Live Chat
  7. Prevention
  8. Conclusion

Introduction

Instant messaging has changed the way we communicate to a great extent. To provide a better user experience and enhance sales, a lot of companies now offer support using the Live Chat. You can find it almost everywhere. There are numerous benefits – Instant support, quick resolution to queries, instant reach etc. But how safe is customer data when companies are providing support over Live Chat?

While there are a lot of psychological dimensions that apply to chat, instant messaging and other electronic communication forms, we will discuss the dangers of live chat and see how we can exploit it to compromise the security of an unknown website.

Live Chat

There are many companies who provide 24/7 Live support to their customers. Some of them include:

www.ixwebhosting.com    – hosting 350,000 domains

www.hostmonster.com     – hosting 450,000 domains

www.hostgator.com          - hosting 1,300,000 domains

There are usually three popular categories in Live chat:

1. Sales

2. Technical

3. Billing

Our interest is in technical live chat – simple because they will most likely have access to customer servers and applications. When you typically click on a Live Chat button, it may ask you if you are an existing customer or not, if yes, then what is your Cpanel (control panel) username and it’s associated domain name. But this is usually optional. Before you click “I’m an existing customer” to try something out, it is best you do your homework.

Doing your homework

It is always a good idea to test the live chat feature of your target hosting company as a regular visitor interested in some plans. Note that most of these live chat tools enable a support engineer to track your IP, visited pages and time spent. So it’s best to use anonimyzers than give away a large pattern of repeated visits and activity from a location. Always make Plan A and Plan B. If one of your strategy fails, you should not look lost while in conversation. Quickly provide alternatives to continue. Next, you should collect as much information as possible about the website you want to compromise. You can start off by looking at nameserver or DNS details using online passive information gathering tools. If your target is a specific hosting company, you can find all the customer domains hosted by them.

Some of the steps to help you get in started:

  1. www.technicalinfo.net   – Gather details such as DNS servers, IP address, Admin contact, MX record details etc.
  2. www.netcraft.com – Gather information about OS, webserver details etc
  3. www.dnslocator.com – Gather information about domains who use specific servers, such as “ns2.hostingcompany.com” or “ns3.hostingcompany.com”
  4. www.softbytelabs.com – Use Blackwidow to download the website offline- very Important. You will need to know the sitemap / structure of the website to get around.
  5. www.google.com – ideally use google search to dig out information about the website. This can be right from the names of key people involved to reading blog posts of employees.

The above links are only to get you started. You can use any related tools for this activity.

What goes behind customer support?

Jokes apart, the pressure to deliver a high CSAT (Customer Satisfaction) score is intense among managers in support industry. Every time a call (case) comes in, the engineers are more worried about closing the issue on the same day (slam dunk) than cumulate it in their bins. Any customer who seems happy and satisfied in the conversation is a potential guy for a good feedback, which in turn will reflect on the support engineer’s performance review. So most support professionals are careful not to irritate or annoy the customers. Most support engineers will not be happy if you demand to speak to their direct managers for a technical case.Then there are remuneration issues. New guys are paid higher; some wicked sweet managers diplomatically don’t allow their best guys to progress. And most tech leads (TL) are not exact favorites. The last thing a support engineer would want is to get a low CSAT score.

Case Study – Executing the Hack

For this case, we have identified a domain (*******.net) hosted at a hosting provider (name / screenshots modified to avoid legal issues). We start the Live chat and select technical support. My comments are inserted as required.

Please wait for a site operator to respond

You are now chatting with ‘Zeyad Abed’

Zeyad Abed: Hello, my name is Zeyad, please let me know how can I help you?

you: helo mtr zeyad this is sarah

// a woman’s name always has a better chance of looking innocent //

you: i m trying to change the image but it givings me eror al time

// the spelling mistakes are intentional. //

you: from FTP

you: it says cannot rename folder

you: but im able to see everything

you: why?

you: hello?

Zeyad Abed: Provide me your domain name please

you: ******.net

Zeyad Abed: Hold on please let me check it

You: its header .gif under images folder im unbale ti rename it

you: i have new update byut its not gettng copiedand keeps giving me error “connection tiemed out”

// the intention is to give an impression that I’m a dumb user – if you notice; there are no “full stops” to separate the sentences. I did not want him to pause and think over a sentence and then move on to next //

you: we have to update zonal lead changes today as after saturday on monday the customers will start updating it

you: hello?

Zeyad Abed: Yes im checking now

you: okies :)

// smiley to make the conversation a bit light //

Zeyad Abed: Thanks

you: damie use ‘sarahmon321′ as pass n lemme kno ok?

// I type in a message that seems like it’s for a ‘trusted’ friend – as it contains a general password – This move has numerous benefits. Although it seems like a genuine mistake, the vulnerable position distracts the support engineer. This also helps in gaining trust //

you: oh sorry it was not for you

you: mistake

Zeyad Abed: It’s ok

you: :) i hope u wont use it on my email

// this re-enforces my vulnerable position. He can access my mail if he wants to…//

you: too many chat boxes got confusd

you: you also facing the same issue?

you: i think something is wrong on the folders? that image is locked or something?

Zeyad Abed: Sorry , just give me a minute please

you: ok :) tk ur time

Zeyad Abed: Sorry the pic in your main page?

you: yes its on the main page u can see? above the image of hands?

you: clock sorry

you: pls dont delete that im only truing to rename it for putting new one

// stating not to delete the image makes you look genuine //

Zeyad Abed: Sorry all the pic in your site working

you: so what to do now?im unable to relpace it

Zeyad Abed: Sorry form your side you can’t see the pic in your main page?

you: arry i can see it…

you: its not that i want to rename it frmo FTP so that we can replace with new image its not taking it

you: its not geeting overwritten

you: its not getting replaced

// I typed too many sentences and looked desperate. I thought I was losing it. This was a mistake in my view. //

Zeyad Abed: Sorry but you can replace it go to your webshell please

you: waht is that?

// If I agree to webshell, this conversation is over. It’s best I deny any knowledge of it to buy more time//

you: they have given me ftp password root

you: to update the site

you: can i do it from cuteFTP?

// this makes me seem like a restricted user who has been assigned a job //

Zeyad Abed: Sorry i mean your FTP

you: yes thats waht im telling you

Zeyad Abed: Sign in t oyour FTP

// good, I can drive this again //

you: im singned in ftp and inside images and see all files n folders

Zeyad Abed: Ok

you: ok can you try from ur end? any other image can u rename successfuilly? are u sure its not server issue? as i can see everthingh inside?

// ok, now we are on the same page. I only ask him to replicate the issue and check if everything is all right. This is as harmless as it can get //

Zeyad Abed: Which image you need to insert ?and where exact?

// It’s on the right track… Time to gently put a bit of pressure if needed //

you: can u try renaming *****logo.jpg?

you: its under images folder

Zeyad Abed: Ok

you: or any other image and tell me f its working?

Zeyad Abed: Ok

you: its not right? i told u…

// ‘ I told u’ is such an old game… //

Zeyad Abed: Hold

Zeyad Abed: Hold on please

you: :(

// the sad smiley is the last nail in the coffin. //

Zeyad Abed: Rename it to what?

// my job is done //

you: .bak? for testing?

Zeyad Abed: bak?

you: its acce.bak —> backup

you: i dont want to delete any image in case i want it later

you: just renanme it to .bak frim .jpg n see if ts accepting there?

Zeyad Abed: Sorry i need to rename sklogo.jpg to which name you need it ?

you: sklogo.bak

you: or *****logoold.jpg

you: anything

you: working?

Zeyad Abed: Ok

you: its working?

Zeyad Abed: Yes it’s working now

// Bingo! //

you: ok leme se

you: see?

you: wait

Zeyad Abed: Take your time

you: hey how did u do that? what steps did u take?

// Rather, WHY did you do that!”

you: just cliekced on rename?

you: wow its working

Zeyad Abed: At first you must to click in your file which you need to rename it and then rename it

you: ok.. ohh.. .. leme try and get backl to you… ill test it again and let u know

you: zeyad u beeen an angel i was breaking my head almost

you: thank u!

Zeyad Abed: You are welcome

you: thanks again

Zeyad Abed: Is there anything else I can assist you with?

// they are so nice //

Zeyad Abed: You are welcome

you: :) i will try this n update rigte now! im so happy i can have my lunch happily

you: :) thanks to u. good day zeyad

you: tk care

Zeyad Abed: Bye

Zeyad Abed: Please feel free to contact us if you need further assistance, we are available 24/7.

you: sure! goood day!-

You can see the result below

websitehack-before

websitehack-before


There could have been a number of possibilities. Imagine a scenario where we could have asked the support professional to rename a critical folder (like “images” or any database or system folder). Or worst, rename Index.html to index.gone!

websitehack-after


What not to do on Live Chat

1. Ask to delete any data

2. Reset / Change passwords

3. Make the the chat professional uneasy initially

4. Appear too desperate

5. Give your real name / number or e-mail id

Prevention

Some of the easiest ways to spot a fake conversation is to observe the language. The hacker will likely make a lot of spelling mistakes in order to sound like a genuine user. The questions can be too dumb at times. When a user has an access to FTP root, (s)he knows what to do with it. The support companies must make sure they do not modify the contents of a website in anyway. Not even rename files.

Conclusion

I hope this has given you an idea about the dangers of Live Chat and how they can be exploited to compromise the security of a website. Any feedback will be appreciated.

Advertisement

Written by rajsm

December 2, 2008 at 5:12 pm

Posted in Research

«
»

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.