One of the great and most overlooked tool in a hacker’s toolbox would have to be charm. In some cases it can be more productive than a fancy script as is the case with, University of Hamburg student Nikolai Philipp Tschacher, Not only did he charm 17,000 programmer into running his script which was sketchy at best, but some of these 17,000 programmer work for the US military and the government. Luckily the malware laden code he wrote won’t do much harm. It was part of an experiment he conducted as part of his bachelor thesis. It was an experiment to see if he could fool programmers into using his code, he employed a variation of a decade-old attack known as typosquatting.
Tschacher upload his code to three popular developer communities and gave them names that were similar to widely used packages already submitted by other users. It was estimated that the code was executed over 45,000 times on more than 17,000 separate domains. Amongst the effect website two of them where ‘mil’ mean the US military, an indication that people inside the US military also downloaded and ran his script.
College Student Charmed His Way Into Military And Government Websites
“There were also 23 .gov domains from governmental institutions of the United States,” Tschacher wrote in his thesis called “Typosquatting in Programming Language Package Managers. “ this is scary fact, this time it was only a student doing a thesis, next time it could lead to some disastrous consequences. Hopefully, Tschacher little thesis may have shown the government some of the they might have vulnerability.
Typosquatting technique has been used by hackers and cyber criminals since the dawn of Internet era. The technique has its roots in so-called typosquatting attacks, in which attackers and phishers registered domains such as gooogle.com, appple.com, or similarly mistyped names that closely resemble trusted and widely visited domains. When an end-users accidentally entered the names into their address bars, the typos sent their browsers to malicious imposter sites that masqueraded as legitimate destinations while pushing malware or trying to collect user passwords.
Tschacher based his attacked on Bitsquatting a variation of Typosquatting, which relied on users to enter a wrong domain name, which then capitalised on random single-bit errors made by computers.he began by finding the most download packages on PyPI, RubyGems, and NPM, which are community websites for developers of the Python, Ruby, and JavaScript programming languages respectively.
Then he named his untrustworthy code closely resembling the 214 packages and uploaded them. Tschacher’s script would also provided a warning that informed developers that they may have inadvertently installed the wrong package. But before it did, the code sent a Web request to a university computer so he could keep track of how many times his faux code was executed and whether administrative rights were given. Surprisingly, as many as half the people who downloaded the code gave Tschacher’s code all-powerful administrative rights, most of them season programmers.
As Tschacher hoped, his experiment was a success with as many as 17,000 users downloaded his sketchy code, some of them even from military and governmental background. This can give you an idea of how charm can fool people into using things they really shouldn’t be using.
