Despite the publicity over “phishing” attacks, people are still vulnerable to spoof e-mails and web sites. In one recent project, we crafted an e-mail with a link to a web page purporting to be a survey on information security hosted by our customer. We used graphics and links from the genuine corporate web site on our own server to ensure the pages looked realistic.
Using simple web forms, we harvested user names and passwords, as well as valuable information about the organisation’s security procedures and mailed the results to our own e-mail server. No-one noticed that the site was unencrypted, nor that it was hosted on an unrecognised IP address with no DNS name. Until a senior member of staff challenged the e-mail and instructed staff to ignore it, we were receiving mails containing names and passwords from innocent users.
Normal web browsing can also help steal identities. For example, a specially crafted pop-up window on an otherwise innocent web site can reap rich rewards. Staff using the corporate network to browse a web site will often respond to a pop-up box saying “Your connection to the network has been lost – please re-enter your username and password”. They continue using their network and the Internet none the wiser, whilst their credentials have been harvested by the web site.
This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk