redpill

One of my redpill Agent customers gave me some great feedback. She wanted to purchase a car and found a car online but half way through the deal realized it was a scam. All she had was the person’s yahoo email address. She used redpill Agent and got the login details of the person’s yahoo account, a lot of personal information and a list of people who was involved in the scam.

This is how she did it …

She firstly didn’t make them aware of the fact that she realized it was a scam. She then emailed them that she was ready to make another payment but she wanted to use a different more secure payment system.

In redpill Agent she chose 3 alert words that she new the person would type (2 being money and car). She chose the BMI Calculator Cover application but after she downloaded it she renamed the exe to EncryptedSelfExractor.exe. She zipped the file and emailed it to the scammer. In her email she said that the payment details and needed reference number is in the attached encrypted file. She even gave a decryption password.

When the person opened the attachment they must have thought something was wrong or maybe they thought she made a mistake by zipping the wrong file as the BMI Calc must have opened … but it didn’t matter as the moment it opened redpill Agent was installed and started working.

Notes from redpill:

• The above story really happened but was done by a customer and not redpill. Please remember not to use redpill Agent illegally.
• Due to this great feedback redpill will shortly add a new Encrypted Message cover application. 

To analyze data in redpill spy can be a lot of fun. Looking at the screenshots (see pic below) is straight forward and easy.

redpill spy

The fun comes in when you are analyzing the key log. redpill spy is also a keylogger that logs every key that is typed. Some key loggers will attempt to clean up the data for you but this always leads to loss of data and sometimes the important data you where looking for. redpill spy will do some clean up but will not do any translations that will lead to loss of data.

redpill spy will for example replace multiple backspaces with the number of times a backspace was pressed. This is important as a lot of users will hold the backspace key down to clear a word especially a word in an input field (text box). When the backspace key is hold down the computer will translate that into the backspace being pressed multiple times. The number will depend on how long the key is hold down.

Example:

Pazz[backpace][backpace]ssword can be translated as password. You can see that the user pressed the backspace twice to remove to characters. You simply remove the same number of characters before the backspaces as the number of backspaces that was pressed.

Pazz[Backspace x 8]Password. In this case the word can also be translated as password as you can see the user was holding down the backspace to clear a word that was probably in an input field (text box).

Analyzing the data in a keylog can be a lot of fun and the more you work at it the better you get. After a while you will be able to spot a username and password combination from a distance.

With so many different phishing attacks and spy software available, how do you protect yourself? 

Protecting yourself from a phishing attack is fairly easy. Don’t trust any email that ask for personal information or money (usually promising you to get a lot more in return). When you are asked to update information or log in, do not click on the link in the email. Instead log into your bank or email account directly.

To protect your computer from spy software (key loggers) and hackers:

• Make sure you are up to date with your security patches for your operating system.
• Make sure your anti virus is up to date with the latest virus definition files.
• Don’t open any attachment or link in an email that you don’t trust 100%.
• When opening an attachment or link from someone you trust, don’t run any applications (Windows will prompt you and ask you if you trust the application). If you want to run an application, rather download it directly from a website you trust.
• Limit physical access to your computer to people you trust.
• Install monitoring software like redpill Spy on your computer. That way, you will know what was done on your computer when you where not there or when it goes in for repairs. With redpill Spy you will be able to see if they installed anything and what was installed.
• Make sure your children’s computers are protected and know what they are doing when they are on the internet. Children lack the experience to determine if something is legitimate or not. See my post on monitoring your children’s computers.

A new cover application has been added to redpill Agent. A cover application is an application that you choose when using redpill Agent to install redpill Agent on a computer that you don’t have access to (for example when the computer is in another country).

The cover application will secretly install spy software on a computer while it’s doing something else. The new cover application is a BMI Calculator (Body Mass Index Calculator). It calculates your BMI and tells you if you are underweight, normal, overweight or obese.

BMI Calculator (Cover Application)

 For more information on how a cover application is used see the post on social engineering.

redpill Agent allows you to remotely and covertly install spy software on a computer anywhere in the world. It allows you to choose from a list of cover applications (a program that gives the impression of doing something else while it secretly installs the spy software) that you can email to a target.

Just emailing the target the file and hoping for the best is not a good idea. Remember that if your first attempt is unsuccessful you will need to wait a few days or weeks before trying again to avoid making the target suspicious.

To improve your chances of success you will need to do some social engineering.

Example:

1. Find out as much as possible about the target (interests, hobbies, etc).
2. Create an alias with an email address and try to befriend the target using email, facebook (or any other social networking site).
3. At some stage, not at the beginning, mention how you managed to get rid of your computer performance problems using a great tool to clean up your registry.
4. When the target asks about the tool, email him/her your registry cleaner (one of the cover applications in redpill Agent).
5. The target will now be eager to run the application and will probably even contact you if he/she has any problems running it.
6. While the target is busy typing you an email to thank you for your help, every key will be recorded and secretly emailed to you!

From that point on the computer will be monitored and you will receive key logs and screenshots.

Please remember to only monitor computers that you are legally allowed to monitor and remember to respect people’s privacy.