Taking over control of a user's browser
People often ask me whether simply opening a malicious website can affect their computer, whether simply clicking on a link can infiltrate and take over their computer. My answer is "yes". And in this article I will explain how this is possible and describe ways to effectively defend yourself. I'll try to give you a simple overview of the process of an attack on a user's web browser, without too much technical detail. For demonstration purposes, I have created a virtual lab where the target browsers will be Microsoft Edge, Mozilla Firefox and Google Chrome running on Microsoft Windows 10. It is important to emphasize that on the target computer running MS Windows 10, all browsers had the latest updates installed and the system contained antivirus protection enabled using Windows Defender. No other antivirus guard was installed on the system.
How does such an attack work?
Now let's assume that we have created a C2 server and we have successfully run the BeEF software on it. We have also managed to create a website and import the library that handles the connection to the C2 server. Everything is ready and now we just need to get the victim to open the website. For this purpose we can use, for example, social engineering techniques. Phishing emails, phishing scams and others can certainly be used. Various social engineering techniques have been discussed in this article.
After the victim opens the fraudulent site and the connection to the C2 server is successfully established, the connected victims can be seen in the sidebar of the BeEF web interface. Thus, in the Online Browsers category, the connected victims, their browser and IP address can be seen. I will keep all IP addresses and domain names obscured in this article.
At this point, the attacker only needs to select a specific victim and execute a command from the framework library. The BeEF framework contains scripts that can be used to trigger various pop-ups on the victim's computer, take a webcam snapshot, or take a screenshot of the system. The following figure shows how easy it is to select a specific command and execute it.
For a concrete demonstration of the use of the BeEF framework, I chose the case of triggering a message in the user's browser. I chose the appropriate command from the command library, filled in the text to be displayed to the user and executed it.
The moment I launched the attack with the Execute button, the following window appeared on the target computer in Microsoft Edge.
PopUp window in Microsoft Edge
eng: You've just been hacked
PopUp window in Microsoft Edge
Pop Up window in Google Chrome
It is likely that the attacks described above would not work if the user had a good antivirus program installed on their computer or if the company had a properly configured web application firewall. The BeEF framework is a well-known tool in the cybersecurity industry, which is mainly used to demonstrate attacks on web browsers. But precisely because it is an open source tool, it can be customized and used for much more sophisticated attacks. With this article, I wanted to demonstrate that even simply opening a web page can have a significant negative impact.