The Best Defense Makes a Good Offense

During the process of evaluating corporate security products, I often begin thinking about how to circumvent the features of the product. More recently, I have started to think about how to leverage the features of products to attack the defender and organization. Since my coding skills are a bit behind the times (ancient really), I quickly took the route that many attackers take. Spear phishing. There is little doubt that spear phishing is often the path of least resistance and is still highly successful. SANS described it as the "...primary initial infection vector used to compromise computers that have internet access." in the Top Cyber Security Risks published in September 2009.

It is not inconceivable to suspect the success of email phishing correlates closely with the quality and familiarity of the email the intended victim receives. The more convincing the email, the more trust the recipient will have when clicking on a link or attachment within that email.

So I thought I would play the evil attacker and post some examples of emails that a corporate end user might receive from a security product that they know and trust. What better software than a product designed to thwart spam and spear phishing? The following is a notification a user of Postini Anti-Spam services would receive (with some href attribute changes of course);

YourATarget Inc's junk mail protection service has detected suspicious email message(s) since your last visit and directed them to your Message Center.

You can inspect your suspicious email at:

 https://login.postini.com/exec/login?email=user@youratarget.com

Suspicious email is kept for 14 days, after which it will be automatically deleted.  Please visit your Message Center to delete unwanted messages and check for valid email.

For help accessing and configuring your Message Center:

http://www.postini.com/services/help.html

Thank You!

YourATarget Inc

Staying with that theme, Postini also provides an email encryption portal that will encrypt an email and send the recipient a notice.

You have a Postini Secure Email message from user@yoruatarget.com.

To view the secure message, click here.

Do not reply to this notification message. This notification message was auto-generated by the sender's security system. To reply to the sender, please go to your secure message by clicking on the link above.

While there is some irony in using notifications from security products to phish and even more in the fact I was able to sent my spoofed emails through Postini's anti-spam filters unscathed. You could certainly leverage the familiarity of any enterprise application for offense. Some other possibilities include email notifications sourced from a helpdesk system, collaboration software (i.e. Sharepoint), or from email servers warning about size quotas. You can certainly apply these ideas to other attacks too. For example consider the following default Web Filter warning that could be leveraged during a Man-in-the-Middle attack.

Please note I have nothing against Postini or similar products. It just happens to be a product that I am familiar with and is quite popular. I am curious on what examples others can come up with. The Social Engineering Toolkit (SET) just released a new version and it is a great platform for testing the success of phishing attacks. It includes built in templates or you can certainly enter in your own custom email. Happy phishing!