When your employer is phishing

A couple of months before I left my previous job I received a suspicious email - apparently I've received a fax and it was inside a linked PDF. I was a little bit surprised when I looked into what this really was about.

The first thing I found odd was a mismatch between my name in the email and the name displayed. A mismatch that very few people know about (but HR would). Looking at the mail headers I noticed a header with a key indicating the email would bypass the company's spam filters. Sure this looked like an insider job.

Then there was the domain from where the email originated. It was registered to a Phishing Company - literally. At this point I figured this was an email sent out by the company to see how many people would actually click on one of the links in the email. Since I noted that each link had a common identifier as a query parameter I used Burp to check a few random links.

This confirmed that all the links in the email redirected to the same page where the user were informed that they had fallen for a phishing attempt as well as a training video to take. But more importantly this revealed an embarrassing (for the security company performing the test) feature; the separation of identifiers were so small that within seconds I had found a few hundred other valid identifiers and most of them were for other companies. That is I could now see exactly which other companies had used the same internal phishing service and I could see exactly what their trainings looked like. Very embarrassing for a security company to expose information this easily I think.

All I wonder now is what they thought about the report as I probably generated a thousand hits on my own identifier just for fun. And what happened to all those old hits for other customers that I generated...

No comments:

Post a Comment