Massive phishing attack appears to hit cybersecurity conference

image

About 7,500 registered attendees of this year’s Black Hat cybersecurity conference got an email similar to the one above.

Obvious phishing scheme right? Actually, no.

Though Black Hat is known for pranks and hacks (they tell you not to use the Wi-Fi under any circumstances at the event, because you will be hacked), the e-mail was actually sent out by a Black Hat volunteer who got a bit ahead of himself on Sunday.

"Hanlon’s Razor states, ‘Never attribute to malice that which is adequately explained by stupidity,’" wrote Trey Ford, Black Hat’s general manager, in a blog post. -David

How my e-mail was spoofed

image

I didn’t send that e-mail, even though Gmail says I did.

It was sent by Eric Fiterman, a former FBI Special Agent and founder of Rogue Networks. He helped us show how easy it is to spoof an e-mail address

To go phishing, first an attacker needs to get access to a virtual Linux server. Easy enough — you can do this for a 14-day free trial on cloudshare.com.

Then the attacker needs to set up the server to send mail using whatever e-mail address he or she wants to use. That’s as simple as entering that e-mail address into a field.

That’s the easy part. After that, phishing schemes can be very complex or incredibly simple. Simple schemes include sending e-mails to a user’s friends and family (easily found on Facebook), asking them to wire money, send their passwords, or give them their social security numbers.

Complex schemes involve setting up fake websites or coding keylogging malware into PDF files.

Take these for example…

image

image

Okay, so Eric was being funny and these aren’t the most convincing phishing e-mails (especially considering Pelosi is in the House, not the Senate). But with some more convincing language, you can see why someone might open the attachment.

So how do you know if it’s a phony?

It’s not always easy. If you look at the source code (achieved in Gmail by clicking the arrow next to the reply button and selecting “see original”), you’d see this:

 

Received: by 10.220.74.204 with SMTP id v12cs140747vcj;
        Thu, 2 Jun 2011 14:29:34 -0700 (PDT)
Received: by 10.229.73.80 with SMTP id p16mr971468qcj.57.1307050174673;
        Thu, 02 Jun 2011 14:29:34 -0700 (PDT)
Return-Path: <root@ericmethodvuecom.vpslink.com>
Received: from ericmethodvuecom.vpslink.com ([xx.xxx.x.xxx])
        by mx.google.com with ESMTPS id d18si2139076qcs.32.2011.06.02.14.29.34
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 02 Jun 2011 14:29:34 -0700 (PDT)
Received-SPF: neutral (google.com: xx.xxx.x.xxx is neither permitted nor denied by best guess record for domain of root@ericmethodvuecom.vpslink.com) client-ip=xx.xxx.x.xxx;

So clearly this was sent from Eric, not Nancy or Ted. But that’s a level most people aren’t willing to go to. -David