Proposed Email Attack Vector

  • Here is a hacking method that must be in common usage but I have not seen people reporting and if it is not used, it is certain to be used in the future and people need to be aware of it. There is a socially accepted (read: horrible idea that the masses promote) whereby you email someone and refuse their answer to your email via an automated response that sends a link to a "security site" where someone has to fill out data in order to get their email delivered.

    Of course, this is fake because you could not find out about the security portal unless the system on the other end already accepted your email. If it does not send it on to the recipient within the system is not your problem at that point, you sent. That they turned it down is on their heads. But for some reason it is common to just expect people sending email responses to jump through hoops and expose themselves in order to get the email delivered.

    This presents a major security concern because no one questions the viability of such a security request system, even though there is no reason to trust one. This means that socially engineering people to fill in personal data and confirm email contact details in this way is a trivial attack vector that will not just work around, but leverage existing security protocols for phishing attacks.

    Like many things "over the top" security often presents holes in the security system and this is no exception.

  • Phishing attacks are where I see this being the most successful use of this vector.

  • @Dashrender said in Proposed Email Attack Vector:

    Phishing attacks are where I see this being the most successful use of this vector.

    Yup, use this to verify email addresses, make the sender look extra valid and collect additional information about the end users.

  • Vendor

    Thanks for sharing this, Scott. Threats are always evolving!