It is a doctrine of war that we must not rely on the likelihood of the enemy not coming, but on our own readiness to meet him: not on the chance of his not attacking, but on the fact that we have made our position invincible- Sun Tzu
When it comes to the vulnerabilities presented by the online aspects of the music industry, the opportunities for penetration tester’s to employ their skills are far and wide. However; as numerous as these opportunities may be, they are still for the most part often overlooked. And with great peril.
Think about something for a moment. When's the last time that you or anyone that you know have gone into a brick and mortar record store and purchased the music that you felt like listening to?
Why would you when you can just as well go online and obtain whatever type of music that suits your taste for free or at a far lesser price than what you'd pay at the record store? Sometimes what you pay for that music may be as simple as registering to a site and creating an account. Ta'Dah! Unlimited music. It cost you nothing. Or did it?
We're all aware that there are computer systems floating around in cyber-space minding their own business without any human interaction. However, I personally stand on the belief that behind every active operating system online there is a human being at the other end of it. And humans my friend, are vulnerable. Human beings can be hacked. And so the story begins... If I were an attacker.
If I were an attacker and I decided to go phishing into this gigantic ocean called the music industry, here's an example of how I could very easily put together a social-engineering scheme. We'll take this website as our target. Mainly because I am personally okay with one of the writer's over there. I am a die-hard fan of the Gazzmic Revolution.
But more so, the entire theme of this site to me was a perfect model to use showing how easily an attacker could take just the content of the site alone and use it against itself to craft a social-engineering scheme.
(Note: Notice how in this example the actual web site was never even tampered with by the attacker. All gathered information was passive in nature.)
The attacker would be making use of only two tabs within the entire site to construct his scheme around. Namely, The Gazzmic Manifesto Tab and The Invite Code tab.
Now, whoever wrote The Gazzmic Manifesto did one hell of a good job. That Manifesto reads brilliant. However, to an imaginative social-engineer, the attacker could very easily fire up SET in conjunction with The Harvester and have a mighty fun field day with the content and theme of this site by making use of the mass mailer attack.
Here's how the original Manifesto reads:
Now imagine an astronomical number of artist and fans being targeted with an email containing the original manifesto with the last line reconstructed to read:
"Join The Gazzmic Revolution! Gazzmic is your revolution. We believe that we are on the cusp of a new Renaissance in music, made possible by web technology. Fear not the future! Join the grass-roots movement that will take on the corporate giants head-on. With your help, we can take back music for the artists and fans."
"That's why we've exclusively chosen you as one of our artist/fans to be featured in our upcoming SKYPE interviews where you'll have the opportunity to introduce the world to the new revolution."
"Remember, this is your revolution!To assist our artists/fans with claiming their exclusive spot in the revolution, we've created a members only access page on [NAME OF SOCIAL MEDIA SITE]."
"This link will direct you to a custom page that we've created for security purposes to protect the privacy and integrity of our members. By signing into this page you will be directed to the official public page."
At this point there's nothing more to do. You're account will be automatically created. You will receive a follow-up email asking you to confirm your account:
"Click here [link with attackers IP address] to begin the revolution."
Of course, given that the victim fell for the attack, if you were an attacker the results are apparent right there inside your command terminal.
If on the other hand, you were a penetration tester, depending on the scope of the penetration test, you could send follow-up emails to all of the victims containing their usernames and passwords revealing to them that their accounts have been compromised.
You could even outline the details of the attack and offer tips and recommendations on how they could defend themselves from future attacks. Imagine how valuable these type of findings would be to a music industry executive?
Now the other part of the site that we'll make use of is the Index Tab? I thought this was ideal because it hints at exclusivity. It plays on the psychology of the victim in such a way that it makes them feel “ chosen ”.
Here's the original invite code presented along with the same message reconstructed by the attacker. Look here to see how the page looks on the actual site.
Now here's the attacker's message, mind you, presented to the victims in the form of an email:
"Invitation codes were provided in the past to select bands for testing purposes. We are no longer accepting nor using invitation codes. Instead, we have set up an exclusive screening process of all artist/bands."
"We will now send you an email containing the link to an exclusive page that we have created for all artist and bands located here on this [NAME OF SOCIAL MEDIA SITE] Follow the link inside of the email and sign into the site using your current credentials."
Note: we've created an exclusive page to ensure the privacy and integrity of our members accounts. Once you log in you'll be directed to the official public page of this social media site. At this point, there's nothing more that you need to do. You're account will have been automatically created for you.
You will receive an email asking you to confirm your account. Music Will Never Be The Same! Click on this link [the attackers ip address] to be invited into the revolution.
Now this is just a very basic case study. It is in no way intending to point out a vulnerability in the Gazzmic Movement and what they have going over there. It was not meant to instruct one in the use of tools like The Social-Engineering Tool Kit.
If you wish to learn more about the tool and it's usage you can either visit the link provided at the top of this post or just Google it own your own. There's tons of information covering it.
This was just an example pointing out one of the ways an attacker could carry out a social-engineering attack in the arena of the online music industry. People love music. People love having the shot at being the star. But people are vulnerable, my friend.
Humans... can be hacked!
Find more interesting topics like this one covered at The Hacker High School.