This article relates to an article regarding using MikroTik as a “credential harvester” MikroTik mAP Lite – phishing – smallest credential harvester.
I have finally managed to collect all data about one of my previous projects. Despite a small amount of a free time and little financial contribution I am stunned how many people swallowed bait and (hopefully) learned a lesson. To achieve this goal I needed a help of my friends who took my little devices with them to different events, which I am grateful for.
As soon as I gathered all data and run some scripts to get the results I was really surprised, however I was expecting big numbers just after releasing those mAP Lite’s to some big conferences. Finally – it was a lot of work, I had to create login websites (mostly in a rush) which looked valid and related to current events. One of the most interesting place where I planted my device was advertising stand of a company which is related to renewable energy sources. MikroTik has a magnetic bottom which allowed me to easily attach it to the steel frame. After an hour I came back to collect my harvester when I found out that stand isn’t there. They moved it to a conference room aside to the projector screen. I double-checked the agenda of the conference, waited 10 minutes eating fast dinner in a nearby canteen and during coffee break I entered the conference room and took device with me. I suppose a guy in a t-shirt with Half-Life logo wandering around room filled with men and woman ‘in black’ could look suspicious, but.. no one asked questions.
Let’s start with a chart which shows where harvesters were planted mostly. Those devices were deployed in two countries, 4 voivodeships. Project lasted for about 5 months.
Events where awareness-rising campaign took place.
Harvester was most efficient when planted in conferences – it’s obvious. Some conference rooms were having poor gsm signals which forced people to use a ‘free’ hotspot instead of their data plan. Second place is definitely taken by shopping centres. Lots of young people willingly and unconsciously participated in my project. As a interesting fact I my say that some ‘stubborn’ victims were trying to continuosly login with their credentials, despite (!) they were shown the notification about how they could just loose their login and password. Winner in this case was user who tried to login nine times… so desperate for Internet hehe. It’s funny and alarming at the same time.
Unfortunately such behaviour was not a single accident. I did not count how many people did that, but I’d say that was about 10% of people who provided their login data. Here you can take a look at a chart which shows to what content they tried to reach anyways. Scary…
Use tried to reach this content however they were shown a warning message.
Only for the sake of my curosity I combined the data to show you which vendors’ devices connected mostly to fake AP. This relates to all AP clients – not only those who swallowed the bait and gave away their login and password as a plain text to unknown network. Another interesting fact – there were some devices with spoofed MAC address (like be:ef:be:ef:be:ef and so on..) and some people entered false login and password combination because surely, they were aware of the danger. My MikroTik devices also suffered from three SSH brute-force attacks 🙂 I had a lot of fun looking through the logs because somehow – they told interesting stories (association -> false data input -> brute force).
Vendors which devices connected most.
Let’s sum things up. As you can see on this chart – about 16% people freely and without any hesitation pushed their unencrypted credentials (login and password) to unkown, unsecured network.
Experiment results. Alarming. 16% – leaving that without a comment.
At the end – some more interesting and funny facts. Devices managed to collect e-mails, telephone numbers in logs as well as insults :). The red warning message which I presented to people who provided their login data also contained an e-mail address to leave feedback. Not a lot of them, but I got two e-mails with threats, one regarding a court hearing, five messages with thanks and one.. let’s call that a ‘notification’. Author of this message complains that despite the correct login data, he does not have access to the Internet [!].
Send this link to your friends, maybe it will help to rise awareness, learn people to properly react and avoid any troubles.