Monday, September 29, 2014

How to get the IP logs of links, or how to mix evil QR code with live IP tracking via the Internet




Tools for URL included tracking
http://blasze.tk
http://bit.do

For legit cover:

http://mcaf.ee
http://ow.ly/url/shorten-url
tinyurl.com
Here you can find some info about bad QR

https://appsec-labs.com/portal/security-assessment-of-mobile-qr-readers-%E2%80%93-a-comparison/
http://www.zdnet.com/blog/security/hackers-using-qr-codes-to-push-android-malware/9522
http://www.h-online.com/security/news/item/Android-trojan-hides-behind-QR-code-1353160.html

I like the idea of mixing the tracking of the victim IP with evil QRs
Warning:The example included live tracking of your IP.
For my example,I decided to take an article, about the new uses of QRs in Israel,this to get history background about the street names:

http://www.israelhayom.co.il/article/222131

lets make it short

http://mcaf.ee/jk7p0

until now it's seems legit..
now its the time to track it:

hXXp://blasze.tk/JSHM7K
 
from here you can track logs:

http://blasze.tk/track/WAUURZ/

Lets cover it with another shorten url service

hXXp://ow.ly/C5MTg

alternative (included QR ad a bonus)

hxxp://bit.do/ONE-PLUS-ONE-FREE-INVITE

From here you can track the logs

hXXp://bit.do/ONE-PLUS-ONE-FREE-INVITE-

Next step,lets see what Facebook did to my link

Sept. 29, 2014, 9:54 p.m. 37.187.88.123 Click to Map 37.187.88.123 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11 ns3367955.ip-37-187-88.eu
Sept. 29, 2014, 9:59 p.m. 31.13.102.122 Click to Map 31.13.102.122 facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
Sept. 29, 2014, 9:59 p.m. 31.13.102.122 Click to Map 31.13.102.122 facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
Sept. 29, 2014, 9:59 p.m. 31.13.102.118 Click to Map 31.13.102.118 facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)


Solutions:
Be paranoid

Ill mention couple of services,which might be helpfull:

1. Unfurlr
(track the link redirecting
unfurlr.com
http://itunes.apple.com/us/app/unfurlr/id522402427?mt=8
https://play.google.com/store/apps/details?id=com.mailchimp.unfurlr&feature=nav_result#?t=W251bGwsMSwxLDMsImNvbS5tYWlsY2hpbXAudW5mdXJsciJd
2.Secure QR reader (you can read AppSec article)
3.https://www.virustotal.com
(focus on viruses more then tracking)
4.http://onlinelinkscan.com/(focus on viruses more then tracking)


P.S

As a tip, you might use an Iphone apps for emails, which allows you to track the reader IP, it's called iTrackMail.
Doing so,can give you the Geolocation of the target.

The solution,is to block images view in your iPhone/Android or any other phone. (as well as in your PC)

https://itunes.apple.com/app/id533886215?mt=8&ign-mpt=uo%3D4mail.com

No comments:

Post a Comment