lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <BD01D3F8-F046-4E1E-8D47-9F84BF5412A2@beskerming.com>
Date: Fri, 26 Jan 2007 00:41:29 +1030
From: Sûnnet Beskerming <info@...kerming.com>
To: full-disclosure@...ts.grok.org.uk
Subject: A Recent Phishing Evolution?

Hello List(s),

An interesting evolution in the use of professional and social  
networking sites as a means to build trust between a spammer /  
phisher and their target seems to have recently (within the last  
week) taken place on at least one professional networking site (which  
shall go unnamed).

In the incident, a mid-level financial executive from a non-English  
speaking background appeared to have created an account, created a  
profile, and then used the site's messaging system to individually  
contact a number of site members (less than a hundred in the initial  
push).  A recipient of the message who might have been dubious about  
its origins would have found that the details in the message and the  
account profile match up with information that is freely available on  
a number of corporate sites where the real executive works.

The initial exchanges between the profile owner(s) and the message  
recipients all appear to be normal business chatter between new  
business contacts, with no indication of any attempt for phishing.   
The use of a free webmail account once communication moves off the  
networking site also seems somewhat normal until messages received  
from this address are investigated (the profile owner(s) are angling  
from a personal approach, as the business executive showing interest  
in other fields).  At this point, it is identified that the source of  
the messages is everyone's favourite 419 country.

It appears that this is not the first time that this particular  
executive has been targeted as the supposed origin of a 419-style  
phish, however the earliest record pointing to evidence of this is  
only from October 2006.

I'm throwing this out there for the masses, to see whether anyone  
else has encountered something similar.  There has been very little  
written about the risk of real spam / phishing from professional  
networking (and equivalent) sites.  From what I have been able to dig  
up, a few authors have danced around the edges, focussing on the  
automated comment spam and malware delivery angle that these sites  
sometimes allow (MySpace, I'm looking at you), but no one seems to  
have picked up on this specific angle.  It would appear that the  
potential return for the significant time invested is much less than  
could be achieved with an automated attack, which is one reason why  
we may not have seen more of this style of approach.

I will give the person who has been 'cloned' time to authenticate  
themselves with the sites concerned and shutdown the fake accounts  
before publishing a detailed breakdown of the events leading to the  
spam / phish attempt, how it was identified, and future risk  
factors / mitigation.

Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ