Small Mosaic




Search Unixdaemon.net (+blog)
Search WWW

Categories:

/books
/career
/codinghorrors
/events
/geekstuff
/justdont
/languages
/languages/bash
/linkshot
/magazines
/meta
/misctech
/movies
/nottech
/operatingsystems
/operatingsystems/linux
/operatingsystems/linux/debian
/operatingsystems/solaris
/perl
/presentations
/programming
/python
/ruby
/security
/security/apache
/security/tools
/serversmells
/services
/services/dns
/sites
/specifications
/sysadmin
/testing
/tools
/tools/commandline
/tools/firefox
/tools/gui
/tools/network
/tools/online
/tools/online/greasemonkey
/tools/puppet
/unixdaemon

Archives:

July 20111
June 20112
May 20113
April 20112
March 20117
January 20111
December 20103
November 20103
August 20101
July 20101
June 20104
May 20102
April 20101
March 20108
February 20101
January 20102
Full Archives

Thu, 10 Mar 2005

Address Book Phishing and Information Leakage
Firstly let's define Phishing, "The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft." While most phishing attacks are done over the web consider how they could be tailored to abuse email and local address books.

Lets consider a scenario, a non-technical (and busy) receptionist or assistant (Alice) sends a number of email's from her pet executive to certain people outside the company. Assume an accountant, insurance broker and some other highly paid but pointless consultant, you probably have about six names in your head right now :) For the sake of this example they are all public members of the company (AGM meetings, stockholders or even just pages showing previous customers).

The villain of our story, the dastardly Bob, purchases a domain similar to the one used by one of our external parties, Carol. He then sends an email to Alice (getting the name of the financial controllers PA isn't that hard...) from this dodgy domain with the name looking pretty much identical to Carols. Maybe an i is a 1 or something similar but awkward to notice. Bob then either plays it safe and just asks an innocuous question just to get a reply (wait for it :)) or tries to social engineer his way into having Carols original details removed. This is risky but makes the attack a lot more successful.

One day Alice takes some notes, types them in, cleans them up and then sends them to the external parties, including Carol. Since Alice has a nice, shiny and helpful mail client it added the address (which was received and replied to) to it's personal address book and offers it to her when she types in Car. In some cases it'll even hide the ones offered by the global address-book and allow you to get even nastier. The auto-complete will pop-up and most people will either select the top option out of habit or not even notice that their were multiple entries, muscle memory is a wonderful thing once you know how to exploit it.

Is this likely? Not really, it involves a lot of work for a difficult to execute attack. Could the local address book fiddling be added to an existing worm or malware to make it even worse? Quite easily. Still it was fun to think through; it's nice to be the (theoretical) attacker now and again.

Like this post? - Digg Me! | Add to del.icio.us! | reddit this!

Posted: 2005/03/10 20:37 | /security | Permanent link to this entry | This entry and same date

books career codinghorrors events geekstuff justdont magazines meta misctech movies nottech operatingsystems/linux operatingsystems/linux/debian operatingsystems/solaris perl programming python ruby security security/apache security/tools serversmells services/dns sites sysadmin testing tools tools/commandline tools/firefox tools/gui tools/network tools/online tools/online/greasemonkey tools/puppet unixdaemon

Copyright © 2000-2010 Dean Wilson XML feed logo