CRIME Social Enigeering - harmful spam

From: Duane Nickull (duane@private)
Date: Thu Oct 16 2003 - 10:16:16 PDT

Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 10/16/03"

Previous message: Buelna, Derek: "RE: CRIME [VIRUS] Don't Use this patch immediately !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All:

Having been thinking about the new paradigm for comprimising systems 
moving more towards social engineering (as foreseen by Mitnik et al) 
rather than the old school brute force or weakness exploitation type 
attacks, I have a question to pose.

It occurs to me that most humans probably have several accounts on the 
internet and likely use the same username/password pairs for multiple 
accounts.  A person wishing to acquire these uname/pword pairs could 
probably use a social engineering exploitation by offering an 
incentive/deal to groups of users who frequent a machine/netowrk they 
wish to exploit, require them to create an account on the machine 
offering the incentive, and then capture all the uname/pword pairs.  To 
me, the odds are that at least one person may give the same actual 
account pair that is useful on the original machine a person wants to 
exploit.

An example could be an online gaming system.  If a person wanted to 
exploit another users account, they could set up a website where people 
could register for a free CD full of full versions of games, but require 
they create an account to do that first.  The exploiter could blanket 
advertise the original site to attract the gamers to the new site, then 
harvest the uname/pword pairs.

The latter is likely harmless however, if a group of office workers were 
lured to a site with an offer for something that government workers 
would like, a few username/password pairs may be re-used.

The range of damage could be vast - from a simple use of someone elses 
email account at hotemail to full blown access to root privileges on a 
system or even their bank account.

Myself, I have been increasingly wary of spam that asks users to create 
accounts to get some sort of benefit later on. Has anyone heard of such 
an attack being successful or seen  statistics on how many people use 
the same username password for multiple sites.  

Curious...

Duane

-- 
***************************************************
Yellow Dragon Software - http://www.yellowdragonsoft.com
Web Services & ebXML Messaging / Registry Downloads
UN/CEFACT eBusiness Architecture/ ebXMl Technical Architecture 
Phone:   +1 (604) 738-1051 - Canada: Pacific Standard Time
Direct:  +1 (604) 726-3329

Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 10/16/03"
Previous message: Buelna, Derek: "RE: CRIME [VIRUS] Don't Use this patch immediately !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 11:02:30 PDT