The Creature of the Black Network Lagoon

By Eric M. Feliciano ·

Black Lagoon

We often don’t worry about network security outside of work and at times, we probably don’t even worry about it while we’re at work. When we stop worrying about network security, that’s when it appears. It lurks in the dark, waiting to strike and needs to feed. This creature has no remorse and only wants to inflict pain and suffering to those it encounters. I’ve seen the creature first hand and believe me, it’s a force to be reckon with. The Creature of the Black Network Lagoon can take many shapes when it’s attacking. It can strike in the form of malware within a file, a malicious link in an email and even a friendly file transfer from a USB stick. Today, I want to share with you the tale of how the Creature of the Black Network Lagoon can easily obtain your username and password if you’re not vigilant.

In this scenario, we have a network that has a Windows 7 computer connected to it; the Creature of the Black Network Lagoon is also connected to this network. The network could be a free Wi-Fi connection that was open or at a local venue. The person on their Windows 7 computer is surfing the web, checking their email, bank account, personal cloud storage, etc. The Creature of the Black Network Lagoon is hungry and wants to feed, so it begins to scan the network in an attempt to locate a machine that is alive.

1

Once it finds its’ prey, it begins to lurk and changes the way your free Wi-Fi is connecting to websites. It begins to take your traffic and forwards it to the real gateway to the internet. As you can see below, the victim has an IP of 192.168.110.25 and the gateway is 192.168.110.1. The Creature takes the traffic, eats what it can and then sends it to where it was going.

2

Depending on which browser you’re using, it might prevent the attack on certain sites, but not all sites are created equally. The first example the user navigates to is www.msn.com using Internet Explorer and attempts to Sign in. Don’t forget The Creature of the Black Network Lagoon is watching, but what has it done? At this moment the traffic the Windows 7 machine generates is flowing through the malicious machine and sent to the internet. It has fooled everyone into thinking that the malicious machine is the exit point to the internet. But that’s not all its doing.  In the background it’s also attempting to remove encryption. It’s taking your secure HTTPS traffic and replacing it with HTTP.  But what does this mean you ask? What is normally secure HTTPS traffic that sends your information encrypted is now being sent unsecure with HTTP traffic which can be viewed in clear text. That’s right - your username and password is sent crystal clear now, readable by any human or extraterrestrial.

Internet Explorer

3

The Creature of the Black Network Lagoon

4

Other sites using the same browser prevent the attack.  In the second attempt navigating to www.facebook.com, we could not remove the HTTPS and my credentials remained safe.

5

Our 3rd site takes us to www.login.comcast.net, which normally takes you to https://login.comcast.net/login, but this time the HTTPS was eaten by The Creature of the Black Network Lagoon. Using both Internet Explorer and Chrome had the same unfortunate results. Using both browsers, the Creature managed to eat the HTTPS and obtain the user credentials.

What you should have seen in the URL

6

Internet Explorer

7

The Creature of the Black Network Lagoon

8

Chrome

9

The Creature of the Black Network Lagoon

10

Our 4th site lands us on https://app.box.com/login or does it? Unfortunately, it landed me on http://app.box.com/login/. While attempting to view and upload some personal photos and private documents, I handed The Creature of the Black Network Lagoon the keys to my personal cloud storage. It wasn’t the first time The Creature of the Black Network Lagoon managed to obtain access to cloud storage. This happens more often than you think.  That’s how some of these leaked videos, photos and documents end up the internet. Depending on what you had stored, you could face embarrassment, financial loss, or backups of important data lost forever.

What you should have seen in the URL

11

12

Internet Explorer

13

The Creature of the Black Network Lagoon

14

This is why being vigilant is always important; while at work and outside of work. This is not to only protect your employer, but your personal information as well. Out of the four sites, the Creature managed to obtain credentials from three. These results will always vary depending on your browser, website and how secure your system is. While navigating the internet, always attempt to verify where you’re going, where you landed and if anything looks out of the ordinary. This can consist of the login page not being encrypted with HTTPS, the URL looks strange, confirmation that the certificate matches, and if you’re still unsure, wait until you’re using a secure connection.