Link substitution is a type of attack in which the victim is offered one link, and they lead to a completely different one.
Why do they replace the link
Deanonymization and data collection
The most popular way of deanonymization via messengers is to send a link, the opening of which will lead to a malefactor getting information about the victim. It’s not only necessary to obtain the IP address, as you have already known from the course, by clicking on the link you can find out whether there are accounts in social networks, what sites the victim visits, and much more.
Even if the victim uses a VPN and hides their real IP address, there are dozens of ways to deanonymize VPN users, such as matching connections or sending a fake request to a VPN provider asking you to give out your data.
Infection
Infecting a victim by simply opening the site is not a very common attack, since it requires the attacker to use zero-day vulnerabilities; sometimes it may be required several vulnerabilities like that. For example, if you are an attacker and you have two vulnerabilities for the Chrome browser and for Windows, what is the guarantee that the victim will not have Safari and macOS?
Definitely, you can initially conduct reconnaissance, for which to use the same link substitution, but this is another story. One way or another, zero-day vulnerabilities that could lead to a discredit of the victim's device by simply opening the site are in hands of hackers at the state level or companies selling solutions to states, but it is unlikely that a script kiddie or medium-sized hacker will have it.
Sometimes malefactors exploit known vulnerabilities, but in this case, the victim should not have browser updates or other vulnerable components installed, such as Flash.
Incomparably more often malefactors try to force the user to infect themselves, for example, download and open a file or install the necessary browser extension. Probably, 99.9% of malefactors act this way, because the thinking head was, is and will be the best antivirus.
Data theft
In this attack, the victim is sent to a fake website, externally indistinguishable from the original, where they must enter their data. Usually it is a copy of a popular site, like social network, online bank, postal service, dating site. Even the domain does not visually differ from the original one from the high-profile malefactors; we wrote about how this is possible in this chapter.
But no matter how effective the attack is, no matter how qualitative the domain is for phishing and no matter how powerful the malefactor is, they need the victim to open the link.
How to make the victim open this link? Social engineering (the skills of motivating the victim to any action) and the substitution of links are helpful in this case. This feature is in different messengers, even in the recommended Telegram and Jabber.
How is the substitution of links going on in the messenger
Jabber
Jabber has a lot of customers; I will show Pidgin as an example. To carry out this attack, you must start a dialogue with the victim, then click the Insert button and select the Link item, which is intended to be sent to the link user.
The Link item has two lines:
1.URL – this is where we insert a link to our trap site (where the victim will actually go)
2.Description – this is where we write the address of the bait site (where the victim will expect to end up)
After adding the link, press the Insert button.
As a result, we got a completely innocuously looking link, under the image of which the address to our trap site is hidden, where the victim will end up.
Professionals, when using link substitution to de-anonymize or gather information, usually carry out this attack very gracefully; the victim first gets to the trap site, where they leave information about themself, and then immediately move to the bait site, where they have planned to go. As a result, the malefactors get the data, and the victim never knows when and how it happened.
Telegram
In Telegram it is a bit more difficult to work, since the user will be shown the full link before the transition, where they should go. It is especially important to use the most similar domain name.
Usually the work is done as follows: a known site is taken and a similar domain is registered. For example, we will simulate the Privnote one-time note service website and register a fake in another domain zone, for example privnote.co.
We are setting up the privnote.co website to redirect all requests to the original privnote.com website without collecting any information other than the links we specified, those that will be used for the attack. Let our goal be to obtain information about the victim, and for this we will deploy on our website scripts to collect the following data:
- IP address
- User agent,
- browser fingerprints,
- social networks where the victim is authorized.
We start communicating with the victim and agree to send them valuable data, to send the password we are using Privnote. When creating a Privnote link, we create a real note in the service and a similar link on our trap site.
When creating a message to the victim, add the original link, then select it and click Format> add a link.
When editing, add a link to the site-trap.
When opening such a link, the victim will first go to the trap site, where they will leave all the data we need. Then, in several seconds, they will be redirected to the real Privnote site with a real note and, most likely, they will not even suspect anything wrong.
How to protect against link substitution
The only effective defense against this attack is your attention. It is necessary to remember about the possibility of replacing the link and check the real addresses which you go to.