How Hackers Are Massively Targeting Companies via Email Miss-configuration



Its me Ahmed Mehtab and today on the behalf of Security Fuse i would like share a proof of concept on Security Miss-configuration discovered in Email Forwarding System . On the daily basis Hackers and Spammers are targeting different organizations and companies which are counted in giants if compared on international level.

Recently that news went viral " Thousands of CRA employees fell for fake phishing e-mail test " reports The mail and Globe.

Another news came into media when The Guardian reported " Phishing scam targets routers "

In past Syrian electronic army gone wild by sending massive phishing emails and hijacking twitter accounts of giants like The Onion was also a victim of their attacks.

Now a days spammers are very active , now the point is how spammers and hackers access the private list of emails which no one knows except the company ? How they know the exact email address of the staff member or members ? and today ill discuss about it in depth.

There could be many reasons behind such attacks but one of the most common type of miss-configuration i have discovered in Email system seems like to be the most potent way of attacking different companies.

Companies usually like to communicate with their staff via their own private system or software which is running on their localhost or they usually use to email. Lets consider that there is a company who,s name is " Fused " they have 50 staff members working in their office. There is one boss who assigns different tasks to 50 staff members.  Now boss uses email to communicate with their staff members if he wants to send a newsletter or any important message with an attachment etc. Likely if boss is willing to send any newsletter or any occasion wishing to all of his staff members. Why would he use to type the email address in his address box to forward email to each member in which it will take a lot of time to email. Hence to save his time he creates an email " staff@example.com " now he use this email address and add an email forwarder to all of his staff by importing the email address of his staff members in forwarder. As you can check the flow chart shown below.



Now as you can see boss sends an alert message to all of his staff in which he emails at his forwarder email address " staff@example.com " and staff@example.com re-sends that email to all of his because it was used to forward email to the given email address once if it receives any email.

Now whats the miss-configuration in it ? The miss-configuration is when ever staff@example.com receives any email it wont confirm the email if its really sent from boss or any other individual. It must verify the email via any specific method either its a boss or any other person who,s sending email to staff@example.com.




Now attacker somehow came to know the email address " staff@example.com " is being used and it forwards the message or email to all the staff members and attacker exploits that miss-configuration and sends a spoofed email with a phishing link and message for staff members to " staff@example.com " and just after the spoofed email from attacker it re-sends or forwards that email without any authentication to all of the staff members by thinking its a boss emails because it was spoofed.

All the staff members receives that email and one by one they all fall to that dirty phishing attack and attacker easily compromises all the confidential data using social engineering.

Now another question which arises in your mind is how attacker can find that email address which is used to communicate with his staff members i.e the forwarder. Trust me there are many ways to find active email address such as if you send email to any wrong email address you receive a mail of failed delivery and it proves how easy is it to find the active email , however hackers and spammers are using different software's like hydra  to bruteforce email address.


To stop such type of attacks one must setup a stealth system in which below is a solution for it.

1- Boss sends an email to forwarder
2- Boss gets an authentication email from forwarder to input his secrete password
3- Boss replies to that email with a password
4- both the email which was replied by boss and received by the system itself deletes it.
5- forwarder after verifying successfully forwards the email to all the staff members.

Thats one of the tactic could be used to prevent such attacks. However the proof of concept was cleared how organizations and companies becomes a victim of a phishing or scamming attack and how easily hacker compromises the data of their clients. however there is a built-in Email forwarding option in  Linux Cpanel with a name " mailing list " which is also vulnerable if authentication is not enabled on it.





Visitors must follow the terms and conditions and The content provided on this page is the authority of Security Fuse and the content provided is only for educational purpose. Security Fuse is not responsible for any of the act caused by viewers after reading the content from *.securityfuse.com. our aim is to provide a quality information on Cyber Security and exploitation and the knowledge is only for peace and educational purpose.
Share on Google Plus

About Ahmed Mehtab

Ahmed Mehtab is a white hat cyber security researcher , speaker , trainer and blogger at security fuse. He loves to research on cyber security issues , cyber crime and hacktivism. Quote " Being a hacker without having knowledge of programming is just like a knife without sharpness ~ Ahmed Mehtab "

4 comments :

Hi , Please take a minute to say somthing about this post