So it turns out us humans aren’t the only ones with a few flaws when it comes to an inbound phishing email! Often uttered from the crowds at every infosec event is the dreaded cliché statement, “Well, humans are the weakest links in security” but not today, stand proud as we take the time to shame our binary companions.
In testing and teaching phishing to organisations, the same things get repeated. Don’t click on the link, check the sender, check for legitimacy etc but we recently discovered these phishing basics can also have quite a bit of damage when it comes to online accounts.
Many online services have a feature whereby you can email the service and it will perform an action. They don’t validate the sender.
Let’s take a look at a few examples, Wunderlist. You can send an email to ‘firstname.lastname@example.org’ from email@example.com and it will forward a to-do to the account that uses firstname.lastname@example.org. If you want to interact with this account you could just spoof the email address ‘email@example.com’ and send your emails to firstname.lastname@example.org.
How about uploading some malicious PDFs to the victim’s to-do list? Off course you can, just attach to the email.
You can also expand on the features by adding items to the subject line of the email. So now the victim’s malware can be selected * Important and flagged accordingly.
Wunderlist received full disclosure of this issue and deny this is a problem. When explained in detail you can add ToDo’s to people accounts and it could be used to spam customers, or worse – assist exploiting them! they stood firm in their judgement. The issue was passed to the MSRC with a hapless reply of:
“Unfortunately we don’t have a program for Wunderlist”
IFTTT… I still don’t understand how to work this service, but I expect people will be able to turn off your connected devices for fun using your forged email address and sending it to ‘email@example.com’. IFTTT has promptly fixed this issue.
Imgur allows you to post a picture to your Imgur account via email. Well, let’s say we found the most popular Imgur accounts or corporate accounts, spoofed their email address and started uploading what we wanted to their account? I don’t think ‘PeanutBuddha’ with over 2 million upvotes would like that.
In researching this bug, Imgur has been noticed of this issue via the HackerOne platform of reporting issues and have made no attempt to fix this.
With limited success, it is also possible to dispatch notifications to services like Yammer. You want to email all of the sales department at a company – easy!
Just grab the email address of one salesman and send a spoofed email to sales+company.com@Yammer.com. Why stop there though? why not send a few phishing links to firstname.lastname@example.org too. Within seconds of sending one spam laden, malware infected email it can be spread around using their own comms platform.
British Gas home systems… accept email and SMS input, so now attackers can have a choice in what medium they wish to spoof. Always handy to know someone can be messing with your internet connected trash whilst you are away via spoofed text messages.
Spoofing an email
Whilst this is done all the time and is quite common in phishing emails not everyone might be aware that you can spoof an email sender. So next time you receive an email and you recognise the sender – it might not be correct. There is normally no checks on the ‘MAIL FROM’ element of an email. It’s trivially easy to send a message from Bill.Gates@Microsoft.com and many email systems are none the wiser.
Some companies like Google, Evernote and Facebook to name just a few already know what the solution is! They use secret email addresses that are unique, similar to 43244JGIC43214@evernote.com Whilst this solution is more secure it is not doing the same thing. You see when a company uses a generic mail in address then their system must connect this incoming email to the account and it does this by using the from address of the email (The one that can be spoofed) but a secret/unique email address is allocated per account, meaning emails to that address can only ever end up in that account. To mess with this system you would need to spoof the email aaaaaand! know the secret email address.
We have reached out to several companies affected to ensure they are aware of the issue, due to the nature of the issue it will not be fixed by everyone that uses a static email address. Whilst this does bring several fairly obvious concerns the companies mentioned were only the ones I ran into – thousands more remain and should not be viewed in a negative manner because of this post. It’s the internet, everything has a bug in – some can’t be fixed.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.