Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — we look at Invoice Scams. PayPal and other sites allow anyone (an attacker) to send anyone (their victims) an invoice containing the text of the attacker’s choosing. In this attack technique, PayPal sends you an email suggesting that the attacker alreadyContinue reading “Attack Techniques: Invoice Scams”
Tag Archives: InfoSecTTP
Attack Techniques: Trojaned Clipboard
Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — the trojan clipboard technique. In this technique, the attacking website convinces the victim to paste something the site has silently copied to the user’s clipboard into a powerful and trusted context. A walkthrough of this attack can be found in theContinue reading “Attack Techniques: Trojaned Clipboard”
Attack Techniques: Remote Control Software
In yesterday’s post, I outlined the two most successful (and stupid simple) attack techniques that you might not expect to work (and you’d be so very wrong): Today, let’s explore number 3: “Please give me control of your computer so I can, uh, fix it?“ In this attack, an attacker convinces you that there’s someContinue reading “Attack Techniques: Remote Control Software”
Attack Techniques: Full-Trust Script Downloads
While it’s common to think of cyberattacks as being conducted by teams of elite cybercriminals leveraging the freshest 0-day attacks against victims’ PCs, the reality is far more mundane. Most attacks start as social engineering attacks: abusing a user’s misplaced trust. Most attackers don’t hack in, they log in. The most common cyberattack is phishing:Continue reading “Attack Techniques: Full-Trust Script Downloads”
Attacker Techniques: Gesture Jacking
A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in that post, gestures are a weak primitive — while checking whether the user clicked orContinue reading “Attacker Techniques: Gesture Jacking”
text/plain 