The attacker/scammer will (most) likely choose the first option and simply take control of the victim's machine. In my opinion this is strange to give the "helper" (attacker/scammer) the option to choose what he wants to do with the "victim". The attacker has the choice to either take full control of the remote computer or simply view the screen without controlling any input devices. The attacker/scammer's "Quick Assist" will wait for a reply from the ".com" servers to initiate the next step of the process.Īfter some HTTP calls the attacker is prompted with the following window: Now we simply wait for the victim to put in the code and the victim will get a "waiting" screen. The victim will get an email that looks something like the screenshot above. (FUN FACT: you can put pretty much anything in the "code" parameter value) Now this is the first step that makes the "victim" seem confident he/she is talking to a real Microsoft Support representative.Ībove you can see the HTTP request, it's a JSON request with "destination" and "code" as the 2 parameters.
The sender of the mail is a legitimate Microsoft email address.
Interesting enough this mail is delivered without any information regarding the person who exactly is sending it. Now here things get interesting, since a scammer would like to make the victim believe that he is genuinely someone from Microsoft providing support he can choose the option to send the code via email. There are several ways to send this code as you can see above. Once you've logged in, Quick Assist will continue its HTTP requests (HINT: it's setting up an anonymous Skype Businness meeting room) and retrieve a security code which needs to be sent to the person/victim requiring assistance. In order to be able to assist a person you'll have to sign-in/up with a microsoft account. If we continue down that route you can see a bunch of HTTP requests going back and forth and you'll be finally asked to sign-in. You get 2 options, either provide assistance or request assistance.Īn attacker/scammer would obviously like to "assist" another person. Once you startup "Quick Assist" it looks as follows: I fired up Burp Suite and let everything pass through the proxy and started looking at the HTTP requests coming in. So I stumbled upon "Quick Assist" I was wondering if it was just MSRA repackaged in a fancy name.
As you may recall, last year i've found a quite simple vulnerability in Microsoft's Remote Assistance tool which allowed users to ask for assistance. Quick Assist User Spoofing (Vuln/Feature)Īs any researcher other would do, I started looking at the interesting features Microsoft added to Windows 10. Microsoft decided not to fix it since it needs high level of social engineering to exploit this vulnerability. This vulnerability allows attackers to impersonate Microsoft Support via the built-in remote support tool of Windows 10 named "Quick Assist".
0 kommentar(er)
