We have already had our dealings with TalkTalk as covered in our earlier blogs here and here. We felt the need to disclose their 2015 Data breach previously, but it does disappoint us to need to write again. This isn’t a vendetta against them – I am genuinely a customer so I notice stuff simply by using my ISP provided account as normal.
What amazes me though is how they (TalkTalk PLC) go about their IT security operations. We have heard enough noise about antiquated Tiscali era equipment causing their 2015 breach and following this they rebuilt their website – added security every way they could! but why would they transfer issues along with them? OK Lets get into some advanced phishing.
So you start out in the world of phishing with very basic knowledge in phishing, sending emails with links that carry basic malware or guide people to malicious login portals. You get the emails there anyway you can work out to do so. You spare no thoughts to security, SMTP credentials and such you just point and click and if it doesn’t work you tinker and try again.
Somewhere along this scale of complexity you hit the middle ground – well configured privately owned SMTP servers, You configure DNSSEC, tiny typos in domains that are made as legitimate as they can be. The middle ground of these emails will start to pass SPF, they will guide you to landing pages with EV Certs and such… These are the sneaky ones you hear the horror stories about. The emails that look real.
But all this is well and good when you’re looking to make a quick buck. But what about the advanced phishing techniques I promised – well here is the thing, they don’t exist.
Ask any decent social engineer and they will tell you the best platform to send malicious emails is there own! This isn’t a bulk operation of sending out 1000 emails – no sir!
The advanced phishing game is about stealth, you research for hours on end to craft that one perfect email that is sent at the right time to the right person to get the desired outcome and when it comes to be dispatched you want a compromised account or something internal to send this. Now this is post compromise already, the mid range phishing attacks might of got you into a companies systems but thats just the beginning. It’s advanced tactical emails like this that empty the bank accounts and do real damage.
Most large organisations now warn staff about external emails that might be malicious – but their own emails fly straight through nearly all forms of content filtering. The most powerful and best platform I’ve ever sent a phishing email from? the winner is the companies own boring Outlook Webmail account. Sorry folks there is no special secret.
So you’d like to think companies would look to protect this! Anyone can go out and get a @gmail.com email address but you can’t create accounts on their domain – imagine the power you could have with simply being able to create an @google.com email address. Imagine if you could receive mail there or send mail from a domain like that. It would be then trivial to masquerade as high rolling members of staff – you could phish like a pro using their own mail servers…
Some companies just don’t learn.
Imagine my surprise when I found this to be the case for TalkTalk customers, now the criminals can attack TalkTalk customers using these methods, saving them the time and hassle of registering a malicious domain or configuring it. Just grab the list of breach victims and get sending, safe in the knowledge TalkTalk are helping run your criminal enterprise and picking up the costs of infrastructure for your new malicious campaigns – perfect for cash strapped 15 year olds that might want a quick pop at your customers.
What should they do?
- It’s quite simple… do you remember the blog about being able to register fraudsupport.talktalk.net? We recommended they decommission the customer creation of subdomains on their domain… Well this is like that really. Just stop it. Stop doing stuff like this. You shouldn’t be able to register security@, SSL@ or staff.names@ for that matter unless you own the domain or it’s primary function is creating email accounts.
- Research their own business like an attacker would, like the fraudsters that pray on their customers. It’s only by doing this they will stop helping the bad guys like they do.
- How has this been missed by a security audit? Just who is doing their penetration testing to not complain about this already? Be ashamed of yourself whoever you are.
What should you do?
- Stay alert – Look for the domain and details of the email address but in 2018 we simply can’t rely on this alone for proof an email is genuine.
- Keep mum – If you are targeted or asked for details via an email, delete it and make contact using a trusted phone number from a bill. Don’t input details int phishing sites or over the phone. Social engineers want information so keep it non-existent.
- Learn – It’s no longer enough to note a few basic tips to stay safe online, you need to get to grips with several types of attacks and learn how they work. We offer basic training videos free of charge here – Free Training Videos.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.