OPSEC vs. Unsubscribe Phishing Attacks

Woke up in attack mode today.

Consider the common tone of many social media posts complaining about various brands.

I’ve met elementary school kids with more tech knowledge than the average Best Buy store manager.

or…

Anyone know a better bank than Bank of America? I’ve had enough of their mistreatment of customers.

In both of these cases, when made public, the target (yes, let’s call them that) has done something fascinating.

Companies commonly send emails right after in-store or online interactions, so by telling us about the bad experience they’ve just had, they’ve not just told us what businesses they have relationships with—they’ve told us that they would not be surprised at all to receive some sort of email from them.

Oops. OSINT fails are labyrinths of potential negative outcomes.

Phishing tool concept

So how about a phishing tool that parses a target’s social media feeds looking for experiences with any brand, and provides a top 3 list of recent and negative interactions.

Then you build your phishing template for that brand, because they’ll be expecting it.

Then, when they receive it, they immediately find and click the unsubscribe button, and that’s where you’ve placed the malware.

Profit.

Public persona hacking tool concept

Or, better yet, how about an OSINT tool called Adaptash0n that takes any username as an input and provides the following outputs by scrubbing dozens of social media feeds:

  • Any services that they use (a basic username check on a couple of hundred services)
  • Any service they complain about (a combination of mention, with an indicator of recent experience, with a negative sentiment)

So the tool basically tells you what type of phishing emails the target is likely to click on, or which services you can go after belonging to them that they might not have maintained good password security for.

Did you remember to change your password for all 113 services you have accounts on, where the password is something well known now from HIBP breaches?

Yeah, didn’t think so.

So basically a personalized targeting tool that gives you suggestions for the best way to hack any particular person with a social media presence.

Summary

  1. When people talk about where they’ve had bad experiences they’re primed to receive an email from that company because it’s common practice for companies to send emails right after you interact with them.
  2. If the experience was negative, they’ll still be pissed at the company, and the email will make them even more angry, which means they’re likely to find and click the unsubscribe button immediately. And that’s where you put the malware.
  3. You can extend this to a full targeting tool that learns all about a given target in an automated way and gives you surface area to attack.

Now for breakfast and coffee.

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Source: http://feeds.danielmiessler.com

Leave a Reply