Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive information from users. This approach allows us to create convincing phishing campaigns by seamlessly proxying the target site, making it [...]
Before we begin – let me preface this whole post with the fact that for this to work – there would need to be some sort of access gained to the scammers computer – its a fine line regarding legality but since they accepted the AnyDesk connection they only have themselves to blame.
All the details
As always, don’t try this one at home kids, this is for educational purposes only. Now that that’s over, lets get into it.
Ever wondered why you’re always told to cover up your webcam? Well, this is the prime example of why, but a bit of cleverness can get around the small slider in front of the webcam, or in most cases, a piece of tape. It all happened during a yearly event called “The People’s Call Centre,” where a group of people chase after scammers pretending to be Microsoft support, basically those bad guys aiming to snatch your grandparents’ money.
During this wild event, our friend in the field, John Hammond, came up with a nifty trick to persuade these scammers to slide open their webcam covers and show their faces. It’s an exciting spin on turning the tables on these criminals.
Lets take a closer look at that popup:
How very sneaky indeed – let’s begin the process to replicate this.
Creating an executable to notify the user their webcam is overheating:
Step 1: Setting Up Your Development Environment
Before we begin coding, ensure that you have a suitable development environment equipped with a C compiler (like GCC or MSVC) and an integrated development environment (IDE) such as Microsoft Visual Studio.
Step 2: Creating a New Project
Initiate a new Windows Desktop application project in your preferred IDE, setting up a base for our application development.
Step 3: Including Necessary Headers
At the beginning of our program, we include the windows.h header file, which contains declarations for many of the functions in the Windows API, giving us access to a wide range of Windows functionalities.
#include <windows.h>
Step 4: Defining a Global Hook
Next, we define a global variable to hold the handle to our mouse hook. This hook will allow us to monitor and block mouse events globally across all applications.
HHOOK g_hMouseHook;
Step 5: Implementing the Mouse Hook Procedure
We create a function that Windows will call each time a mouse event occurs. If the event is a mouse move (WM_MOUSEMOVE), we block it by returning 1, preventing further processing of the message.
Step 6: Crafting a Thread Function
To facilitate concurrent execution, we craft a separate thread function to block mouse input. This function sets up the mouse hook, waits for 5 seconds, and then removes the hook, resuming normal mouse operation.
Here, we develop the WinMain function which is the entry point for our Windows application. Inside this function:
We spawn a new thread to run our BlockInputThread function, initializing concurrent execution.
In case of thread creation failure, we notify the user through a message box.
We then present a message box to convey the notification to the user.
Subsequently, we wait for the blocking thread to finish execution before closing the thread handle, ensuring a smooth termination of the application without lingering threads.
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
HANDLE hThread = CreateThread(NULL, 0, BlockInputThread, NULL, 0, NULL);
if (hThread == NULL) {
MessageBox(NULL, "Failed to create thread", "Error", MB_ICONERROR | MB_OK);
return 1;
}
MessageBox(NULL, "Your webcam is overheating! Remove your webcam cover before the temperature affects your device.", "ALERT: Webcam Error", MB_ICONINFORMATION | MB_OK);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
return 0;
}
So this is what our final code should look like:
#include <windows.h>
HHOOK g_hMouseHook;
LRESULT CALLBACK MouseHookProc(int nCode, WPARAM wParam, LPARAM lParam) {
if (nCode >= 0) {
if (wParam == WM_MOUSEMOVE) {
return 1;
}
}
return CallNextHookEx(g_hMouseHook, nCode, wParam, lParam);
}
DWORD WINAPI BlockInputThread(LPVOID param) {
// Set the mouse hook
g_hMouseHook = SetWindowsHookEx(WH_MOUSE_LL, MouseHookProc, NULL, 0);
// Sleep for 5 seconds (5000 milliseconds) - change this to as long as you want
Sleep(5000);
// Unhook the mouse hook
UnhookWindowsHookEx(g_hMouseHook);
return 0;
}
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
// Create a separate thread for input blocking
HANDLE hThread = CreateThread(NULL, 0, BlockInputThread, NULL, 0, NULL);
if (hThread == NULL) {
MessageBox(NULL, "Failed to create thread", "Error", MB_ICONERROR | MB_OK);
return 1;
}
// Display the message box in the main thread
MessageBox(
NULL,
"Your webcam is overheating! Remove your webcam cover before the temperature affects your device.",
"ALERT: Webcam Error",
MB_ICONERROR | MB_OK
);
// Wait for the BlockInputThread to finish
WaitForSingleObject(hThread, INFINITE);
// Close the thread handle
CloseHandle(hThread);
ExitProcess(0);
}
Step 8: Compilation and Execution
Compile your program using your IDE, setting it to a Windows application to prevent the console window from appearing. Once compiled, run the program to witness the concurrent execution of the notification and input blocking. Here is an example of how you would compile with gcc.exe
Once this program is run it’ll popup with an alert and seriously lag the users input which makes this more believable. Note: the functionality of setting up hooks and blocking mouse input like this can result in some interesting outcomes – don’t blame me if it causes problems to your machine. As far as I am concerned, It works on my machine.
Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive … Read more
Post comments (0)