Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New "Spear Phishing" Attacks Target IT Admins

kdawson posted more than 4 years ago | from the parasitic-wasps dept.

Security 134

snydeq writes "A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

Heh (0)

Anonymous Coward | more than 4 years ago | (#31335868)

I'm a sysadmin for a hosting provider. Good luck with that.

Re:Heh (0)

Anonymous Coward | more than 4 years ago | (#31335924)

Can you host some pics I have of CmdrTaco's micropenis?

Re:Heh (0)

Anonymous Coward | more than 4 years ago | (#31336368)

So long as you can ensure me that you have absolutely every single angle of that tiny little delicious cock! For...research...purposes, of course. Not jerking off. Nope, no siree! Wouldn't even dream about or fetishize about sucking off such a cute little micropenis, all flaccid feeling in my mouf.

Re:Heh (4, Insightful)

MightyMartian (840721) | more than 4 years ago | (#31336118)

We host our mail and web ourselves. At the same time, I don't give a fuck how legitimate an email looks, if it sends me instructions to open my mail server or firewall, I'm going to be on the phone to my ISP ASAP.

Re:Heh (1)

TheModelEskimo (968202) | more than 4 years ago | (#31339326)

Your dumb ISP: "OK sir, thank you for your patience while we work to resolve this issue for you. Sir, next can you please tell me what happens when you open your firewall?"

This is why... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31335884)

The less information floats about you on the net, the better.

Re:This is why... (1)

ceeam (39911) | more than 4 years ago | (#31336304)

True. Until you're looking for a new job, probably.

Re:This is why... (1)

bsDaemon (87307) | more than 4 years ago | (#31336358)

Or especially when you're looking for a new job, knowing some people.

Re:This is why... (1)

Beardo the Bearded (321478) | more than 4 years ago | (#31336476)

Hey, when we were looking for co-op students, I looked them up on Facebook. At least one was vetted as a "douche" based on his pictures.

Re:This is why... (1)

KevinKnSC (744603) | more than 4 years ago | (#31338430)

That's ammo for an EEOC complaint, right there.

Re:This is why... (1)

darkpixel2k (623900) | more than 4 years ago | (#31340394)

That's ammo for an EEOC complaint, right there.

I'm an equal opportunity employer. As long as you're not a douche, druggie, or moron, that would potentially damage my business, you have an equal opportunity to get employed regardless of being black, gay, Christian, Russian, female, etc...

Try "fishing for noobs", not admins. (5, Insightful)

pla (258480) | more than 4 years ago | (#31335906)

The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares.

Why on Earth would I do that at the whim of my ISP or web host? I've actually gotten into arguments with known, real providers that insisted they needed access to my network to work properly (correct response - "No, no you don't - and neither does your competition"), I sure as hell wouldn't say "Oh, you have a new service? Cool, guess I'll chuck that Sonicwall in the trash now...".

This may target "your nephew who does your computer stuff at the office", but it sure as hell doesn't target IT professionals.

Re:Try "fishing for noobs", not admins. (0, Redundant)

SirBigSpur (1677306) | more than 4 years ago | (#31335996)

This may target "your nephew who does your computer stuff at the office", but it sure as hell doesn't target COMPETENT IT professionals. Fixed that for you.

Re:Try "fishing for noobs", not admins. (4, Interesting)

Fnord666 (889225) | more than 4 years ago | (#31336026)

Seconded. Why in the world would anyone with a quarter of a clue look at

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:213.199.180.128/26 (213.199.180.129 - 213.199.180.190)94.245.120.64/26 (94.245.120.65 - 94.245.120.126)

and think "Hey, I better do this right away."?

Re:Try "fishing for noobs", not admins. (1)

rmadmin (532701) | more than 4 years ago | (#31336376)

First thing I'd do is go "OH! IPs!" and hit arin. Then I'd go "RIPE? I don't f-ing think so!" Then again, I'm goofy about looking up IPs all the time. :D

Re:Try "fishing for noobs", not admins. (1)

SatanicPuppy (611928) | more than 4 years ago | (#31336528)

What I thought was, "Fucking /26 blocks? Are you kidding me?" Not to mention that opening 25 to 128 different IPs makes no sense at all.

Re:Try "fishing for noobs", not admins. (4, Interesting)

asdf7890 (1518587) | more than 4 years ago | (#31336620)

But what about someone who setup the service initially some months ago and has since moved on and is busy with several other projects, that someone might give the mail a cursory glance and the forward it to the less experienced team/individual currently operating as caretaker for the service. He/she/they might decide to just blindly go ahead either because they are less experienced, they assume the person that forwarded the note to them checked it, or they are numbskull button-pushers employed by the lowest bidding IT outsourcing outfit, or some combination of the above - at which point the ne'er-do-wells have an in...

Re:Try "fishing for noobs", not admins. (1)

w0mprat (1317953) | more than 4 years ago | (#31336692)

Seconded. Why in the world would anyone with a quarter of a clue look at

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010. Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:213.199.180.128/26 (213.199.180.129 - 213.199.180.190)94.245.120.64/26 (94.245.120.65 - 94.245.120.126)

and think "Hey, I better do this right away."?

An firm worth it's salt with have a change process with the firewall, which would catch out anything like this. Mr "Hey, I better do this right away" Admin should not have the access and authority to do this kind of thing on the fly... or the organization had another thing coming.

Re:Try "fishing for noobs", not admins. (1)

h4rr4r (612664) | more than 4 years ago | (#31337072)

The change process should be the admins. Anything else gets business morons involved and they are the ones who think opening stuff for whole /26s is ok.
If the admins fuckup fire them.

Re:Try "fishing for noobs", not admins. (1)

sexconker (1179573) | more than 4 years ago | (#31338592)

An firm worth it's salt with have a change process with the firewall

It's nice to pretend.
Any anything worth its anything will eschew formal safety obstacles to get the job done. 99.99999% of the time nothing goes wrong.

Re:Try "fishing for noobs", not admins. (0)

Anonymous Coward | more than 4 years ago | (#31339794)

Why in the world would anyone with a quarter of a clue...

Well, management is doing good many times if it has 1/8th of a clue. So orders that make even less sense come down the pipe all the time with a "Do this NOW!" attached to it, and when sysops are feeling demoralized and burnt out, they're probably not even going to attempt to fight it. Even if, on review, it comes from out of house. After all, it looks like technical instructions, not something designed to trick some stupid (l)user!

So there's a very good chance, given the high stress rates endemic to so many shops today that someone WILL act on a clueless suggestion, no matter where it comes from.

Re:Try "fishing for noobs", not admins. (3, Funny)

GPLDAN (732269) | more than 4 years ago | (#31336044)

You run a SONICWALL and you HAVEN'T thrown it in the trash yet?


(We still run a ES6000. I feel your pain.)

Re:Try "fishing for noobs", not admins. (1)

dave562 (969951) | more than 4 years ago | (#31336208)

That ES6000 is an email security appliance and not a firewall. Sonicwall firewalls are decent devices. I can only comment on them in the typical SMB deployment, but I've seen one handle 500 users on a DS3 connection without a problem. That included full IDS/IPS and gateway anti-virus on the connections.

If you need email security, why aren't you using Postini? They're ridiculously cheap for standard anti-spam / anti-virus filtering on your SMTP streams. We're paying about $4 per user for 125 users.

A over worked sysadm is like a texting driver (5, Insightful)

xzvf (924443) | more than 4 years ago | (#31336288)

It is hard to concentrate on multiple tasks at once. While a good sysadmin won't fall for this on the best days, an overworked one will occasionally just do stuff that looks right. If you want real security, any change should require two people (who don't know each other in physically different locations) to implement, an approved change control document that identifies the change and reason for it, and an auditor that goes follows behind the change to make sure it doesn't open any holes. I'm going for funny on this.........

Re:A over worked sysadm is like a texting driver (1)

nurb432 (527695) | more than 4 years ago | (#31337154)

I disagree, if you do something via an unsolicited EMAIL then you are a fool. It has nothing to do with being overworked. Its common sense.

Now, if they call you on the phone, and give you real verifiable meat, then i can see bad things happening. But even then, id want to call them back to verify if things sounded the least bit strange.

Re:A over worked sysadm is like a texting driver (1)

Chris Mattern (191822) | more than 4 years ago | (#31339102)

While a good sysadmin won't fall for this on the best days, an overworked one will occasionally just do stuff that looks right.

I am sorry, but if this "looks right" to you, even on your worst day after down two quarts of gin, then you really have no business being a sysadmin. Open your mailserver to large blocks of random IP addresses? Tell me, if you got something that looked like it was from your bank that told you to leave a large pile of cash sitting outside your front door, would you do it? Even if it the letter looked REALLY, REALLY convincing?

Re:A over worked sysadm is like a texting driver (1)

GaryOlson (737642) | more than 4 years ago | (#31339504)

Not everyone has a backup admin for these tasks. Whose infinite budget are you using for this extra manpower?

Re:A over worked sysadm is like a texting driver (1)

Cramer (69040) | more than 4 years ago | (#31340300)

Actually, having been an overworked admin, the overworked admin would see "April 19" and say, "I don't need to worry about that for awhile" and promptly drop it in the calendar for April 16 (friday) or 19 (monday). And get right back to whatever. Plus, the message tells you exactly where to go to see the complete list of addresses that's supposed to be used, so that's where I'd go for the "complete list" instead of some random email. (plus, I have scripts that generate firewall configurations... copy, paste, done.)

Re:Try "fishing for noobs", not admins. (1)

macintard (1270416) | more than 4 years ago | (#31336356)

You lost all credibility when you mentioned the Sonicwall.

Re:Try "fishing for noobs", not admins. (3, Interesting)

SatanicPuppy (611928) | more than 4 years ago | (#31336454)

Exactly. I'm just going to open up some port, or change my mail settings because some schmuck sends me an email?

I changed an IP address on a single server and it ended up being 6 hours on the phone with corporate VPN jockeys and contractor VPN jockeys and failover tunnel configuration, and the WAN guys, and the next day I had to put in another hour because a different business unit on an outsourced customer service portal had missed that we were moving the server, and they had to get set up as well.

Firewall/Server changes from an ISP over email? Right.

Oh yeah I'll open all ports on my firewall.... (0)

Anonymous Coward | more than 4 years ago | (#31335930)

Just cause an e-mail told me to!

michael vick sucks a big cock (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31335952)

fucking little bitch that he is. anyone who supports this asshat is a bitch too.

So when did text have to become an active payload? (-1, Offtopic)

St.Creed (853824) | more than 4 years ago | (#31335962)

If e-mails were just e-mails (text), and didn't include active content, it would fix the entire attack-vector. Perhaps sysadmins should default to secure software. But is there even software these days you can make absolutely sure does not show anything except the plain text? On windows that is, on unix I just use elm anyway.

Re:So when did text have to become an active paylo (4, Informative)

MozeeToby (1163751) | more than 4 years ago | (#31336024)

Did you even RTFS? The emails contain instructions for things that the attackers want the admins to do. It's called social engineering, and it's not a computer glitch, it's a critical thinking glitch.

Re:So when did text have to become an active paylo (3, Insightful)

TooMuchToDo (882796) | more than 4 years ago | (#31336204)

As my first boss and mentor used to say, "You can't fix stupid."

Re:So when did text have to become an active paylo (0)

Torodung (31985) | more than 4 years ago | (#31336488)

You can fix stupid with hardware.

Re:So when did text have to become an active paylo (0)

Anonymous Coward | more than 4 years ago | (#31336526)

No, stupid just googles a work-around.

Re:So when did text have to become an active paylo (0)

Anonymous Coward | more than 4 years ago | (#31337374)

baseball bat?

Re:So when did text have to become an active paylo (1)

Arthur Grumbine (1086397) | more than 4 years ago | (#31337782)

That depends on whether or not you can convince stupid to sign a consent [wikipedia.org] form [wikipedia.org] .

Re:So when did text have to become an active paylo (1)

DMUTPeregrine (612791) | more than 4 years ago | (#31339350)

Actually, you can. The standard methods for fixing stupid are generally about 9mm.

Re:So when did text have to become an active paylo (1)

GaryOlson (737642) | more than 4 years ago | (#31339510)

I was thinking .22 caliber...the entertainment lasts longer.

Re:So when did text have to become an active paylo (1)

BlortHorc (305555) | more than 4 years ago | (#31340268)

Sure you can [thinkgeek.com]

Re:So when did text have to become an active paylo (1)

cenc (1310167) | more than 4 years ago | (#31340424)

Yea, you can. Your FIRED!!!

Re:So when did text have to become an active paylo (1)

bunratty (545641) | more than 4 years ago | (#31336364)

Did you even RTF tiger team entry? It's all about using social engineering to get IT admins to install a trapdoor.

Re:So when did text have to become an active paylo (1)

MozeeToby (1163751) | more than 4 years ago | (#31336402)

And how does making emails plain text prevent that?

Dear Sir/Madam,

Due to changes in our routing technology, we require you to install the update found at www.example.com in order to continue accessing our services, thank you very much for your cooperation

Your ISP Admin Team

Re:So when did text have to become an active paylo (3, Funny)

jellomizer (103300) | more than 4 years ago | (#31336292)

Here is the ultimate OpenBDS fix to boost performance.

Just call rm -rf /

rm is short for _R_eally fast _M_achine the -rf tags is for really fast and the / makes sure that all apps run Really Fast. Just be sure to do this as root as you will need permission to change all executables to run Really Fast.

We all know that OpenBSD is one of the most secure OS out there so you can trust that this command (which is already installed in the system) will work.

Re:So when did text have to become an active paylo (1)

Beardo the Bearded (321478) | more than 4 years ago | (#31336520)

I think you're missing the -i, which gives the impressive boost.

While we're on the topic, your sig is missing the second close bracket and eg.[sic] is usually spelled e.g.

Re:So when did text have to become an active paylo (0)

Anonymous Coward | more than 4 years ago | (#31337112)

You'll be hearing from my lawyer.

Re:So when did text have to become an active paylo (1)

Korin43 (881732) | more than 4 years ago | (#31338328)

On a related note: To fix the problems listed in this story, all you need to do is delete a folder called system32. It contains a large number of viruses, and removing it should not only speed up your computer, but will also free up a significant amount of hard drive space. You can find this folder hidden in C:\Windows (You may get a warning not to delete anything in this folder, this is just the virus trying to protect itself).

Interesting choice of IPs... (1)

TheBrez (1748) | more than 4 years ago | (#31335990)

Show of hands, who else did a whois on those IPs and noticed they're registered to Microsoft in Ireland and Great Britain? I get enough crap from Microsoft, why would I want to let more in?

Re:Interesting choice of IPs... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31336472)

(*hand up*)

Made me wonder why the spear-fishee didn't check the "legit" addresses in the attack email. My first thought was "What, an admin that doesn't know whois?"

Repeat after me: Anybody can get your name and other personal info. If you're not on Facebook, someone else is and they've already given your personals up for you on your behalf. We are officially in the "John Anderton" age. Beer commercials will address you by name. It doesn't mean jack.

Get used to the future. Numb your response to being personally addressed, the same way we've had to numb our sense of "photographic proof," without a degree in forensics.

Re:Interesting choice of IPs... (1)

Nikker (749551) | more than 4 years ago | (#31339478)

Getting your name and occupation isn't really that difficult. Find a company, search for email addresses, send some out to people in other departments looking for a contact in your department, bonus points for getting someone who knows what contractors / vendors you deal with. Send an email to your email address quoting said vendors, throw in a back splash and header graphic and you might have the guy's attention. I personally don't think many admins will open ports and white list ip blocks but that doesn't make a lot of sense to begin with, you're more likely to get temp vpn access to a certain server or sub net but to start poking holes in mail ports is kind of retarded. With VPN access you can do better scanning for vulnerabilities and taking having a finer control of the whole process. If an admin is really that dumb how can you be certain he/she is going to open the ports properly to begin with? They'll likely open the ports to everyone *but* you. This seems like a possible joke or a social experiment then some high profile espionage attempt to turn some corporate intranet into a Spam relay. If anyone did get "hacked" by this attack I would hope the persons who pressed the buttons would be shown the door or put through a very lengthy class that shows them how to do their job.

It's funny you should say that... (3, Interesting)

aardwolf64 (160070) | more than 4 years ago | (#31336124)

I have one of those e-mails in my inbox right now... Supposedly from 1and1.com. It looks legitimate enough, but when hovering over the links with my mouse, I get some not very nice links... some of which go to Denmark.

Re:It's funny you should say that... (5, Funny)

halcyon1234 (834388) | more than 4 years ago | (#31336746)

I get some not very nice links... some of which go to Denmark.

That should tell you something is rotten

Re:It's funny you should say that... (0)

Anonymous Coward | more than 4 years ago | (#31337650)

Alas, port 25, I knew the well...

Re:It's funny you should say that... (0)

Anonymous Coward | more than 4 years ago | (#31336908)

I have one of those e-mails in my inbox right now... Supposedly from 1and1.com. It looks legitimate enough, but when hovering over the links with my mouse, I get some not very nice links... some of which go to Denmark.

Hey fuck off, Osama isn't hiding here!

The silly US IP laws have already started sifting into our part of the world, but if you start using force we'll deploy our LEGO Mindstorm Mecha.

Denmark

This is the problem with "sysadmins" (5, Interesting)

GNUALMAFUERTE (697061) | more than 4 years ago | (#31336166)

I've been a Unix sysadmin all my life.

I've worked in the IT departments of non-tech related companies (or at least companies where the servers I maintained where not the actual service being provided by the company). I've worked on the Hosting industry (Where the servers I maintained where the core of the business), in software factories, and other industries. For the last 8 years, I've worked on telephony. I'm currently on charge of the whole operation of a small telco (When I got here, they were cisco+oracle+asp based, and I migrated the whole thing to Asterisk+MySQL+Perl.

I would never, EVER, fall for such a thing. Actually, I keep fighting with my providers over this crap. Even the big guys send updates in plain motherfucking email. Carriers set up and bring down POPs for inbound calls and signalling/media gateways all the time. They insist on notifying us of such additions on plain email.

I'm not going to whitelist on my firewall and add to my sip.conf as a peer/user/friend an IP I got in some random email!.

You want to notify me: Sign your fucking messages! They are fucking Verizon, and the bastards refuse to just sign their freaking email messages. So, what I do is, I have a template explaining the dangers of notifying of such changes in plain email. I reply to every mail I get with that template, and then call my account manager or whoever I have to in order to confirm the information.

Level 3 (Now owned by Verizon too), Verizon, British Telecom, Global Crosing, and other HUGE players on this industry, all do the same stupid shit. And all this guys are fucking Tier 1!
Believe it or not, some other small Telcos seem to be more conscious about this stuff. VoipJet, for example (a small A-Z IAX-only route), sends all the notifications signed and they provide a link to the notice on their website where you can double check the information.

So, the blame here goes to BOTH the stupid Admins that just do whatever they get told over email, and to the companies that get them used to accept unauthenticated communications.

Re:This is the problem with "sysadmins" (1)

MichaelSmith (789609) | more than 4 years ago | (#31336370)

Yeah I am not in your league but I did colocate in a building with some fairly strong physical security. Access was to be arranged 24 hours in advance by email. The thing was the email was unsecured, nothing was cryptographically signed so when they got a request from me they had no real way to check that it was really from me.

Re:This is the problem with "sysadmins" (2, Interesting)

GNUALMAFUERTE (697061) | more than 4 years ago | (#31339604)

Totally. That crap happens all the time. That's why any serious facility will have security outsourced to a company that is held legally responsible for the physical access to said facility.

Short story:

Once, I had my servers at iPlan (large ISP in Argentina, they have 2 HUGE datacenters in Buenos Aires). One weekend, a server went down and I was out of town. So I sent a friend to take care of it. I called the NOC to authorize him. They said they could only take my authorization in written form. So, I emailed my account manager asking for the right procedure, and he said mailing him the Name and DNI (sort of like SSN) of the person was enough. He then had to show some credential (Actually, his DNI) to prove his identity. I sent a simple email with this data, and they authorized him.

The next week, when I got back, I went to see my account manager. I got to his office, opened up my laptop, telneted into their SMPT server, and and delivered an email to his account, said email coming from info@fbi.gov.

That's simply the best way to explain to an illiterate bastard that email is totally insecure.

They many times rejected me access to the datacenter if I happened to forget my ID. Even when all the guards knew me very well (I went there very often.). The people in charge of that kind of stuff DON'T understand technology, they have the right intentions, and implement many security measures, and all said measures fall down when they put some really weak and stupid link somewhere in the chain. Like plain email authentication.

Re:This is the problem with "sysadmins" (1)

bunratty (545641) | more than 4 years ago | (#31336384)

I've been a Unix sysadmin all my life.

Whoa! You were literally born a sysadmin!

Re:This is the problem with "sysadmins" (1)

MichaelSmith (789609) | more than 4 years ago | (#31336424)

I've been a Unix sysadmin all my life.

Whoa! You were literally born a sysadmin!

He was born with the music of cooling fans in his ears.

Re:This is the problem with "sysadmins" (1)

Eric52902 (1080393) | more than 4 years ago | (#31336588)

I thought sysadmins were forged from the fires of Mount Doom?

Re:This is the problem with "sysadmins" (1)

symes (835608) | more than 4 years ago | (#31336432)

You want to notify me: Sign your fucking messages! They are fucking Verizon, and the bastards refuse to just sign their freaking email messages. So, what I do is, I have a template explaining the dangers of notifying of such changes in plain email... some other small Telcos seem to be more conscious about this stuff. VoipJet, for example (a small A-Z IAX-only route), sends all the notifications signed and they provide a link to the notice on their website where you can double check the information

This. It makes sense on a lot of levels.

Re:This is the problem with "sysadmins" (4, Funny)

gad_zuki! (70830) | more than 4 years ago | (#31336592)

>I've been a Unix sysadmin all my life.

Why arent you in school? Your kindergarten teacher called.

Mom, I have to go work!! We lost a drive in the array.

Oh, ok. Dont forget your GI Joe lunchbox.

Re:This is the problem with "sysadmins" (2, Funny)

bigredradio (631970) | more than 4 years ago | (#31337720)

I would never, EVER, fall for such a thing.

WOW! You win one internets!

Re:This is the problem with "sysadmins" (2, Funny)

CrashandDie (1114135) | more than 4 years ago | (#31337736)

I've been a Unix sysadmin all my life.

And looking at how many times you've used "I", it shows.

Re:This is the problem with "sysadmins" (1)

GNUALMAFUERTE (697061) | more than 4 years ago | (#31339508)

That's because English is my third language. It's a way more structured and tough language than my native Spanish. Since I've learn english by myself, and never took any formal education in the engishn Language, my use of it is mostly technical. So, yes, sometimes I sound like a freaking compiler speaking. Deal with it.

Don't use Admin-enabled as your standard account (1)

fluor2 (242824) | more than 4 years ago | (#31336188)

I've seen admin-problem in so many places. Both in Linux and Windows-environments. In Linux, people seem to add their ssh key so you can logon to pretty much every computer in your network. Well I sure hope you have control over every .sh file you might run. In Windows, it's very easy to add your normal user account to the Domain Admins group, thus you should really be careful on what you run from your account.

Heads up. Use a separate account for your admin privileges!

Re:Don't use Admin-enabled as your standard accoun (4, Insightful)

Qzukk (229616) | more than 4 years ago | (#31337220)

In Linux, people seem to add their ssh key so you can logon to pretty much every computer in your network.

Spreading your public key around like that isn't a big deal. It's when the user removes the password from the private key so he never has to type anything to log in, THAT's the real bad one.

How do we combat this? (1)

XanC (644172) | more than 4 years ago | (#31337774)

Is there a way to make SSH require both a key AND a password?

Re:Don't use Admin-enabled as your standard accoun (1)

JimBowen (885772) | more than 4 years ago | (#31338150)

You don't have to remove the passphrase to log in non-interactively. You just have to be using a ssh-agent such as keychain.
And many people (including me) do..

I got one today (2, Informative)

Anonymous Coward | more than 4 years ago | (#31336224)

Posted anonymously. Public company. You get it.

Anyhow, I've got one from un-named webhost today. (Hint, they were one of the companies that got hit when Google got slammed)

Whoever it was, they new my name, and IP addresses that we host some sites on. The ploy was for me to open up all ports to my site to establish a trust to a range they've provided for "enhanced security analysis" thats now "part of their package" as well as email content filtering.

1. I host Exchange in house. (Even though I hate it)
2. I host nothing but web @ Host X.
3. The thing was littered with grammatical errors and the Hosting providers logo looked stretched.

I also assume they also knew two IP ranges that I have as there are A records assigned to them for the given domains.

Something doesn't make sense here... (4, Insightful)

rlthomps-1 (545290) | more than 4 years ago | (#31336226)

The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses.

I think by definition, you are not the savviest of users if you fall victim to a phishing attack.

Re:Something doesn't make sense here... (3, Insightful)

bsDaemon (87307) | more than 4 years ago | (#31336416)

I once cleared a mail queue of about 50k email messages... just looping through all the IDs and nuking them in Exim (large i/o issue on the server at the time, and i determined it all to be mail related). When someone questioned me on that, I responded with "there haven't been fifty-thousand legitimate emails in the whole history of the internet."

Moral of the story: question everything that comes over the wire, especially these days. Any insane requests such as the ones described in the article ought to be verified either in person or on the telephone, with you initiating the contact to a trusted source, otherwise you're pretty much just asking for trouble.

"There haven't been 50,000 emails. . . " (1)

BitterAndDrunk (799378) | more than 4 years ago | (#31337752)

Sean, is that you? [ungoogleable.info]

Re:"There haven't been 50,000 emails. . . " (1)

bsDaemon (87307) | more than 4 years ago | (#31337902)

No, that's not me. And I was deep in BOFH mode when I said/did it. However, I seriously doubt that there have been 50k emails of any significance and authenticity in the history of the internet and I'll stand by that.

Re:Something doesn't make sense here... (0, Offtopic)

catmistake (814204) | more than 4 years ago | (#31337082)

The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses.

I think by definition, you are not the savviest of users if you fall victim to a phishing attack.

Totally. ROFLMFAO stupid admins! We have a few Fail Administrators down in Fail Engineering, too. It's a Fail shop, so most things are Fail, and they hold their own as far as providing job security for the rest of us that just can't seem to get our heads around Fail. Well, I don't wAnna toot my own horn here but last week I wrote a Fail script... but it half worked.

Savvy? (0)

Anonymous Coward | more than 4 years ago | (#31336286)

Opening up systems based on an email received is what's passing for savvy these days?

savvy? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31336362)

An admin who would "[open] up mail servers to enable spam relaying, to disable ... host-based firewalls, and ... open up unprotected network shares" is not savvy. Any admin who does not guard his or her network with the viciousness of a mother lion guarding the den containing her young, even from the actions of his own coworkers, vendors, and business partners, is worthless. These people are the first and last defense in corporate security.

It won't work (1)

Voyager529 (1363959) | more than 4 years ago | (#31336374)

The way I figure it, you can't be dumb enough to open up ports on your firewall without so much as calling the company to verify if it's legit AND have the technical skill to do the port forwarding at the same time.

Re:It won't work (1)

MichaelSmith (789609) | more than 4 years ago | (#31336462)

The way I figure it, you can't be dumb enough to open up ports on your firewall without so much as calling the company to verify if it's legit AND have the technical skill to do the port forwarding at the same time.

Clicky clicky...

You keep using that word (0)

Anonymous Coward | more than 4 years ago | (#31336518)

The emails, containing no obvious malicious links, are fooling even the SAVVIEST of users into opening up holes in their company's network defenses.

I do not think it means what you think it means.

enough with the puns and stuff for terminology (1)

YesIAmAScript (886271) | more than 4 years ago | (#31336604)

Did we learn nothing from "ogg"?

Please use terminology that doesn't evince giggles from the general public.

Circa Blackhat 2007 (3, Informative)

Spyder (15137) | more than 4 years ago | (#31336644)

Targeting the admins for access was one of the major points in HD Moore and Valsmith's talk [blackhat.com] (PDF) from Blackhat US 2007.

Obvious. (0)

Anonymous Coward | more than 4 years ago | (#31336676)

We've been getting these for months, and are as obvious a scam as any other. What are these savvy methods with which they speak of?

Hard to be fooled when I know what exactly what email I'm expecting and what I'm not.

Re:Obvious. (1)

MightyMartian (840721) | more than 4 years ago | (#31338134)

Any admin who gets fooled by this should be shown the door and given a referral to the nearest McDonalds. He might just have the brains to handle burger flipping, though I'd probably keep such a moron away from the cash register.

Would this have any affect? (0)

Anonymous Coward | more than 4 years ago | (#31336880)

Suppose you did "open the firewall" to all those addresses. Why would it make any difference? Does the perp think your MTA is an open relay except for the firewall ACL? That is pretty unlikely. Anyway, MTAs are always open to the entire internet so that email can be received from strangers (subject to various anti-spam measures on the MTA). I think the email is fictional, but perhaps it is inspired by a real phish.

Some people will click anything... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31336888)

Some people will click anything... including admins.

But sometimes user education does work.. kind of. Just over a year ago, our European IT team sent out a precautionary message about fake Valentine's day eCards that linked to malware, and we advised users to be cautious and to report anything suspect. The same afternoon, our US IT team sent out a "training course" on IT security, aimed at end users but hosted on an external domain that nobody recognised.. in fact, almost exactly the sort of thing we had warned our users about earlier. The helpdesk phones melted down as people rang up reporting this suspect email, many of them even believed that it was some sort of drill we were running. So.. I guess not all of the people click on all of the links all of the time..

The example given in the article isn't a phish (1, Funny)

Anonymous Coward | more than 4 years ago | (#31337322)

The sample email in the article is actually a genuine service announcement, with the name of the (very large) email gateway provider removed. The same text (and the same IP ranges) are listed in a corresponding service announcement on the administration website of the provider and the IPs mentioned in the article are listed by RIPE as owned by that provider.

Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31337484)

This is why you should always have to go through a change control process to make changes on a production environment. Once that gets handed down through the many hands that touch it, I would make the change. Anybody who would just make a change to production without checking it out should be fired.

see what you make of this email at Technet.com (0)

Anonymous Coward | more than 4 years ago | (#31337590)

interesting "copy" over at

http://blogs.technet.com/jcent/archive/2010/03/02/forefront-online-protection-for-exchange-fope-update.aspx

Try Me (0)

Anonymous Coward | more than 4 years ago | (#31337834)

Hey, you asshole hackers: try hacking me. I dare you!

I'll even give you my IP address: 192.168.0.1

Good luck and have fun!

Re:Try Me (1)

nlindstrom (244357) | more than 4 years ago | (#31338466)

Don't listen to that guy, he's running a honeypot. Instead, hack me! I'm at 127.0.0.1. There's a metric shitload of p0rn waiting behind that IP.

Re:Try Me (2, Funny)

sexconker (1179573) | more than 4 years ago | (#31338620)

I'm at 127.0.0.1. There's a metric shitload of p0rn waiting behind that IP.

Score!
And you've got all my favorites, too!

Sad to say, I can believe it. (1)

jimicus (737525) | more than 4 years ago | (#31338344)

I hate to say it, but there are a hell of a lot of "sysadmins" out there who couldn't admin their way out of a paper bag. I've cleared up the mess left behind by one or two.

Not only do I believe these attacks will have a certain degree of success, I also believe the consequences for the sysadmins who fall for them won't be that severe. If they're stupid enough to fall for them I'd be astonished if they're running a tight enough ship for anyone to notice one more hole.

Re:Sad to say, I can believe it. (1)

gujo-odori (473191) | more than 4 years ago | (#31338614)

Heck, even the admin mentioned in TFA is said to have suspected the scam immediately, and got confirmation 10 minutes later when he received another identical mail. Wow if 10 minutes went by and he still hadn't confirmed that it was a scam, he was either really busy, didn't care, or CISSP doesn't mean a whole lot. You get a mail like that, you look at the headers right away. In almost all cases that will give you the confirmation you need.

It's worse than that - My boss got one! (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31338566)

My boss got one, he's convinced it's legit, and I'm being insubordinate by not immediately complying. I tried showing him this story but he refuses to believe it. It has the right logo and everything. So we opened the ports. Is there any way I can volunteer to blacklist my own site before this gets out of hand?

New Label needed (1)

pooh666 (624584) | more than 4 years ago | (#31339606)

HA HA!

Uh it is (or is sourced from) a LEGIT email. (0)

Anonymous Coward | more than 4 years ago | (#31340100)

Hate to piss in people's wheaties but that's an actual legit email from Microsoft Hosted Exchange Services. (at least the one I got)

Now who knows who's copied that and inserted a hyperlink or two, perhaps that's the case, or perhaps this is an overly paranoid reaction...

Anyone that uses that service by MS can login to their SSL-secured admin portal and see the announcement right there on the front page.

Take off the foil hats now people.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?