Hotspot Hotwar

 Most end users keep their Wi-Fi on at all times. With most devices the standard operation is to auto connect, or connect when the request is asked of it. I noticed a strange occurrence in my area; in which there are 8 xfinity hotspots within a block radius. I know COMCAST provides these to their users for the ability to connect when abroad. However seeing more than 2 in a given area seemed odd. Having curiosity I began to investigate. Before I connected I did some footprinting and noticed these 8 seemingly innocent hotspots all shared the same MAC ADDRESSES of only 3 ACCESS POINTS. One of the more odd facts is that two of the three AP's had routers which belong to AT&T. With certain tools I was able to pinpoint with precise detail the location and physical address of said Access Points. These 8 "xfinity" hotspots are all coming from the exact location and sharing the same MAC ADDRESSES of the 3 AP's there in.
  The security risk happens when a device connects. Immediately the device is flooded with packets which hold PAYLOADS linking to APPSFLYER.COM. These payloads are designed to to change the device DNS, backdoor the device and use it as a slave/botnet for PAY PER CLICK and other AD REVENUE AFFILIATE PROGRAMS as shown in this snippet of the payload

00f0  20 42 75 69 6c 64 2f 4a  5a 4f 35 34 4b 29 0d 0a    Build/J ZO54K)..
0100  48 6f 73 74 3a 20 74 72  61 63 6b 2e 61 70 70 73   Host: tr ack.apps
0110  66 6c 79 65 72 2e 63 6f  6d 0d 0a 41 63 63 65 70 m..Accep
0120  74 2d 45 6e 63 6f 64 69  6e 67 3a 20 67 7a 69 70   t-Encodi ng: gzip ...

 Further investigations shows of my DEVICE and ANY NETWORK I connected to; after receiving the PAYLOAD, would have it's DNS changed and credentials spoofed to serve the benefit of those generating ad revenue. In the simplest of terms what this means is; if the infected device or network was go to the traffic is rerouted and web traffic is then falsely represented generating ad and pay per click revenue for affiliates.

 Additionally the "xfinity" hotspot login page is SSL STRIPPED and a XSRF meaning it is an illusion of the actual site and anyone who enters their login info would have it and all data on the device compromised.
//this is know as Drive by Pharming and confirmed through use of the Metasploit Framework//

These are low level, affiliate, Pay Per Click, Identity Theft Criminals and Script Kiddies at best. Most people with newer, faster devices wouldn't notice payloads being unleashed upon their system. The broadcast strength is so powerful these 8 "xfinity" hotspots stretch for about 1 kilometer so even driving by, having Wi-Fi on within a few seconds you'll have connected, received the payloads and by the time you've gone up the block the signal drops and none the wiser. Even if you take certain basic security measures within system settings there is still risk.

 These routers are sending out ARP and WoL packets that will trick a less secure device into connecting as soon as it enters its sphere of influence. Now, by the time we're home we've ingested megabytes of payloads, trojans and any other types of Malware from operations like this or by any malicious person/s.

These payloads, Cross Site Scripting and SSL exploits reach all the way to the top through allowance and negligence. Corporations, ISPs and even ICANN from a top down approach are all responsible for web crawlers, botnets and fake internet traffic.

 Only through education of threats and being aware of the technology around us we can be more secure in not just our own lives but of those around us.

*Keep Wi-Fi off
*Be cautious of any open networks
*Be security minded
*Be Aware


Below you will find a link to my google drive which has the full packet captures for you to analyze of this specific event.

                                                                                                             -SODAGHAR 11/20/15

No comments:

Post a Comment