Vpn Fishing
1 min readJuly 14, 2020
vpn
phishing
hack
Recently I encountered an interesting scenario where a link I clicked on a link in an email local to our VPN opened a public website. Link was similar to
swarm/changes/674362
Now, I was expecting some diff of files described in the mail but I found completely different stuff and I checked whether I am connected to the VPN or not. As you might expect, I was not. Some time later I thought we can use this to trick people to get their credentials for swarm. If you got the credentials, and if they are same as the NT credentials, (… think of the bad things you can do on your own)
A simpler explanation with Alice and Bob
-
Alice (A bad girl) has set up a public website with DNS name
xyz
which mimicks a site in VPN which both Alice and Bob can access (It’s not mandatory that, Alice should have access to it) - Alice sends an email to Bob which contains a protected url as below
xyz/foo/bar
-
Here it is assumed that, xyz is a site available in VPN as well as on the internet.
-
If Bob is connected to VPN and opens the URL, he will hit the local (present in the VPN) site and things will go well
- If Bob is not connected to VPN he will connect to the public website (URL in the address bar will still be same) and he will enters his credentials to access /foo/bar and will be compromised.
How can one protect themselves?
- Orgs can WARN their employees when they visit public sites (or block these sites) whose DNS names match the local site DNS names.