Pretending to be a visitor, the attacker starts a co-browsing session and try to inject malicious script code into the DOM (Document Object Model). Their hope is that it’s transmitted when the Collaboration Server replicates the visitor’s web page structure on the agent’s computer. Because the agent is in the company’s intranet, the attacker hopes to gain access to internal computers, or to the agent’s username and password, by displaying a login window on the agent’s computer.
The Collaboration Server removes all executable code before it transmits the DOM to the agent. It removes the following elements:
HTML attributes that may contain executable code, such as
Object, Embed and Applet-tags (this can be configured.)
CSS elements that may contain scripts.
Any CSS code it doesn’t recognize as valid and safe.
The attacker puts a file with malicious code on a web server and then tries to send the agent a link to that file, hoping the agent will download the file and execute the code. In a co-browsing session, the visitor’s web page is displayed on the agent’s computer by replicating the web page structure (the DOM, or Document Object Model). So the attacker tries to modify a link in the DOM so that it points to the malicious file.
How the file is executed depends on the level of sophistication of the attack. For example:
If the file contains executable code, the attack requires little sophistication. However, the agent has to agree to download the file and then must manually execute it.
If the file contains rich media (such as a PDF file), the attack requires sophistication, because PDF files are secured against known possibilities to insert code. The agent still has to download and open the file, but may be unaware that it contains executable code.
If the file is a simple media file (such as an image file), the attack requires a high degree of sophistication, because images usually can’t contain code, and browsers are thoroughly tested against this type of attack. However, images are loaded automatically by the browser, which facilitates the execution of the attack.
How we prevent link attacks
In a secure setup, the Collaboration Server never transmits an image or file from the internet to the agent’s computer. Instead, it only accepts the company web server as a trusted source. The Collaboration Server will attempt to load all resources that the agent requires from the company web server. If a resource isn’t available, the Collaboration Server simply doesn’t display anything. Thus, a malicious link will simply result in a failed request to the Collaboration Server.
|To prevent this kind of attack, the Collaboration Server considers the company’s web server a trusted source. However, if an attacker can place a malicious file on the company’s web server, then the Collaboration Server will transmit it to the agent during a co-browsing session. If visitors can upload files to your web server, make sure that the Collaboration Server and your agents don’t have access to these files.|
Can this link attack succeed in the Unblu Cloud?
In the Unblu Cloud, this attack is technically possible, if the agents can freely access the Internet from their computers. However, the attack requires sophistication from the attacker, and doesn’t represent a more serious threat than sending a link in an email message.