Social Engineering Through the Inbox
Just wanted to take a quick look at some social engineering techniques today.
I received an e-mail a while back that would have been a social engineers dream. And surprisingly, it wasn’t the main message content that was so revealing. It was the header of the e-mail. The sender inadvertently put about 50 email addresses in the “To:” field instead of the “Bc:” field.
If the addresses were in the “Bc:” or blind copy field, I would not be able to see them. But, because they were in the “To:” field I could read each and every one of them. And who were they? Employees of big name companies in the US. Not a big deal you say, well, here are some reasons why it is a big deal.
Most e-mail addresses now use the users last name and first initial, it wouldn’t be hard to do a search using Google and Maltego to find out a whole lot of information on the user to use in social engineering attacks.
Most corporate user’s e-mail address is the same as their login name, I now have a list of valid login names. I hope they didn’t use simple passwords.
The open source intelligence search may bring up nothing of value, and if they used complex passwords, that would be a dead-end too. But, interesting enough, I already have all the information that I need from the e-mail. I know what service the users have signed up for and are looking for news/ updates and seminar information from. It would be very easy to spoof an e-mail and since I know they would be looking for the e-mail, the chance that they would click on an evil link would be very high.
And it would only take one wrong click to allow a malicious program to give full access to a machine on the inside of a corporate network. I guess the moral of this story is to be careful with the information that you give out. And to continue my constant mantra, do not click on links in e-mails. I know that this was a mistake, but it could be a costly mistake. Oh, in case you were wondering, the e-mail came from a big name computer security training company.
~ by D. Dieterle on July 13, 2010.