[nSLUG] End of email -- what next

D G Teed donald.teed at gmail.com
Tue Apr 19 16:58:08 ADT 2011


On Tue, Apr 19, 2011 at 1:48 PM, George N. White III <gnwiii at gmail.com> wrote:

> It got into Oak Ridge's system through a phishing email designed to
> look like it was sent from the lab's human resources department.

The flaw here sounds just like a recent attack at the Canadian federal
government department.  The hacker forges an email from a boss
to an underling, asking for a password or a password reset.  The
underling obliges (social engineering working here, they don't want
to say no or give a hassle to the boss), and provides the password in email.
Alternately, the hacker may have phished the boss's email password
and then used that to send emails looking for the password reset.
Then the attacker sets up malware or keyloggers whereever possible
using the boss's access, possibly on their desktop, etc.
This gains additional access, since the bosses tend to have lots
of access with accounts in various systems.

The key flaw here is sending passwords over email.  Just don't do it.
Arrange to phone or meet in person in a way you can confirm
it is really the person who should get the password.

I've found the average email user doesn't understand how
easy it is to forge email until I send them a message from
ronald.reagan at whitehouse.gov and then they come
back to me and say "oh, ya."  Part of it is not understanding
the envelope aspect of email.  You'd think Microsoft's mail
clients were designed by phishers, with their default ability
to keep the actual address hidden (appear as "Ronald Reagan").



More information about the nSLUG mailing list