Organisations make huge investments in IT security, but often overlook simple data leakages:individual staff members' email addresses.
This might not seem very significant, but as businesses get their technical security in order, hackers are having to resort to other methods to gain access. These often include targeted phishing attacks to specific end users that generally bypass mail filters. If the user clicks on a link, they may unwittingly open themselves up to installation of a back door.
Targeted phishing attacks need target email addresses, so here are some examples of how you might get some.
Simply search Google for "@domain.com", where "domain" is the name of the organisation. Google indexes newsgroups, websites, and even email addresses in the public domain.
Any of your employees who have used their work email on an indexed site will have had their addresses cached by Google. Similarly, if you publish email addresses on your corporate website, these too will be indexed.
We did this type of search across some of the domain names used by large UK companies, with interesting results. Starting with the FTSE top ten, we Googled the corporate email domain name and found that, on average, 105 staff email addresses were indexed by Google.
Taking aliases into account, the average across the FTSE top ten was 162 addresses, and 65 per cent of those were individual's email addresses. An alias is one route to deal with the above email address disclosure issue.
It doesn't actually stop the email from getting to the recipient; it only prevents the recipients' name being disclosed. The top result had nearly 60 per cent of email addresses disclosed as aliases, the worst had only 20 per cent as aliases.
Of course, Google doesn't index everything, and there are many factors that influence the results of this rather basic survey. But one thing is clear: organisations aren't very good about concealing individuals' email addresses. And employees aren't helping this by using their work email addresses in publicly indexable websites such as forums.
In less than a day of simplistic automated searching, looking at only ten companies, we had built up a list of 1,047 email addresses. These have value on the black market; as well as being used for spam, they are a great start for social engineering or a targeted attack.
Security policies should deal with protection of work email addresses. These should never be used by staff making postings on the web, to forums, to online retailers, anywhere.
IT staff are one of the most common sources of disclosure: someone is configuring a new corporate firewall, for example, and hits a problem. In desperation, they make a posting to a technical newsgroup dealing with that brand of hardware. To speed up the process, they add their work email address, so that replies come direct.
Even aliases aren't the ideal solution. It would be far better to use a personal email address set up specifically for online postings. Yahoo!, Google, MSN etc all have free web mail, so why not use it?
We did another survey looking at the largest 100 online retailers in the UK. We wanted to see if it is possible to mine customers email addresses out of the "forgotten password" feature of the login to customer shopping carts and accounts.
Essentially, a technique called "enumeration" is used: if someone forgets the password to log in to their account, the form asks for their email address. If correct, the password is sent to them. If incorrect an error is usually displayed. By submitting large numbers of potential email addresses to these forms, any response that isn't an error indicates that the submitted email address is valid.
More than half of the retailers we tried had exactly this problem. How easy it would be to run a scripted attack against them, mining their customers' email addresses.
Corporates clearly aren't too hot at protecting even their staff members email addresses, so, one could ask, what hope have we got as customers?
Don't post your email
By Ken Munro, on Jun 19, 2007 1:43PM