Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of the original recipient:
- Name
- Organization
- Direct phone padding:5px 10px">
http://go.redacted padding:5px 10px">
intext:go.redacted.com/
I found 31 hits containing an URL of the same format. Lets test some of them The online form for the other webcast session was indeed prefilled but... with the same values (the one of the first colleague). Hmmm Lets see if we have some cookies maybe? Yes, we have! Let width:300px" />
After more investigation, I found some links of the same format width:300px" />
Such information are a gold mine to set up a spear phishing attack! The attacker knows your details, your interests in the vendor products and that you attended a webinar on a specific date. Keep this in mind when sharing invitations outside a restricted audience!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Article Link: https://isc.sans.edu/diary.html?storyid=22478&rss