Address Book Phishing and Information Leakage

Firstly let’s define Phishing, “The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.” While most phishing attacks are done over the web consider how they could be tailored to abuse email and local address books.

Lets consider a scenario, a non-technical (and busy) receptionist or assistant (Alice) sends a number of email’s from her pet executive to certain people outside the company. Assume an accountant, insurance broker and some other highly paid but pointless consultant, you probably have about six names in your head right now :) For the sake of this example they are all public members of the company (AGM meetings, stockholders or even just pages showing previous customers).

The villain of our story, the dastardly Bob, purchases a domain similar to the one used by one of our external parties, Carol. He then sends an email to Alice (getting the name of the financial controllers PA isn’t that hard…) from this dodgy domain with the name looking pretty much identical to Carols. Maybe an i is a 1 or something similar but awkward to notice. Bob then either plays it safe and just asks an innocuous question just to get a reply (wait for it :)) or tries to social engineer his way into having Carols original details removed. This is risky but makes the attack a lot more successful.

One day Alice takes some notes, types them in, cleans them up and then sends them to the external parties, including Carol. Since Alice has a nice, shiny and helpful mail client it added the address (which was received and replied to) to it’s personal address book and offers it to her when she types in Car. In some cases it’ll even hide the ones offered by the global address-book and allow you to get even nastier. The auto-complete will pop-up and most people will either select the top option out of habit or not even notice that their were multiple entries, muscle memory is a wonderful thing once you know how to exploit it.

Is this likely? Not really, it involves a lot of work for a difficult to execute attack. Could the local address book fiddling be added to an existing worm or malware to make it even worse? Quite easily. Still it was fun to think through; it’s nice to be the (theoretical) attacker now and again.