BlackHat conference in giant phishing gaffe

Filed Under: Featured, Phishing, Privacy, Spam

The annual BlackHat conference in Las Vegas prides itself as "the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape."

But this year's event has kicked off with a giant security boo-boo.

(This wasn't the sort of mistake to make at any time, let alone to an international army of geeks - paying geeks, at that! - who are in the process of heading to your event.)

The story started over the weekend as BlackHat 2012 delegates - and only delegates, as quickly became obvious as recipients compared notes - started to get emails like this one:

From: BlackHat 2012 [mailto: gleach@itn-international.com]
Sent: Sunday, July 22, 2012 8:58am
To: Not Me As Sadly I'm Not Going This Year
Subject: Your admin password

This is a note from BlackHat 2012.

_________________________________

You have requested a new password. Here are your details:

Username:
Password:

To sign in, please go to this URL:

https://svel1023/BH12/Admin

Very phishy. Let us count the ways:

  • Unencrypted email allegedly containing password.
  • Call-to-action to login via link supplied in email.
  • Link in email to a site other than BlackHat.
  • Email from organisation other than BlackHat.

Perhaps the phishers were hoping that the missing username and password might trick the recipients into logging in to the bogus site with their real username and password to see what was going on?

Fortunately, as a phish, this was never going to work, because of the broken link. (You shouldn't put unqualified domain names in any URL - it's lazy and dangerous, for a start.)

The burning questions, of course, were these: how did the phishers get such a targeted list of email addresses? Did BlackHat suffer a data breach? Did they sell their list to a dodgy third party?

Turns out we can all stand down from puce alert.

It was only a sort-of breach, and BlackHat has (to give the company credit) confessed and explained quickly.

Seems that a volunteer at the event clicked the wrong button, or at least clicked the right button in the wrong way. According to BlackHat, the volunteer "has been spoken to."

Heigh ho. As BlackHat has just been reminded: you can't outsource your accountability.

And the volunteer's behaviour doesn't explain away the phishiness factors listed above. It sounds as though the BlackHat conference might indeed have sent you an email of this sort. Just not this one.

How about your organisation? Could you have made a blunder like this? If so, now would be a good time to revisit your policies and procedures surrounding mailing lists and email blasts!


-

, , , ,

You might like

9 Responses to BlackHat conference in giant phishing gaffe

  1. Sigh · 767 days ago

    *facepalm* This is phishing, how? In just a few seconds of thoughtful inspection, you could tell this was accidental.

    The email came from itn-international.com, which is an event coordinator (and one for Black Hat). So it's fair to assume that they have the database of all attendee emails. So, obviously, there was no breach.

    The email header chain showed legitimate transfers originating from ITN as well. So, no spoofing or third-party sending, obviously.

    There were no emails, accounts, nor passwords in the email.

    The link was to an internal server for "BH12". Without even knowing the story from BlackHat, it's easy to assume that this was the result of an internal server at BH12 accidentally sending a template email out to a mailing list.

    All of your phishness factors could be explained away with 30 seconds of Google searches. And, really, if people are unable to do that, then they need all the BlackHat training that they can get...

    I also do take notice of the statement "This wasn't the mistake to make at any time", and why is that? There was no data breach, no loss of control, no loss of data, nor any other loss except in a loss of confidence. And, even at that, it was a very minor one. By pushing that mistakes should never happen, you're basically dooming everyone to fail and to potentially hide their own mistakes to avoid making them light. Instead, we just admit what this was, openly and honestly, excuse it, and go back to work.

    • Paul Ducklin · 767 days ago

      Sigh, indeed.

      FWIW, I jumped to the conclusions you list above - starting off from the assumption that there was a connection between ITN International and BlackHat. Then I realised that such assumptions are just the sort of thing which play into the hands of phishers.

      So, before I wrote this, I thought I'd try 30 seconds of Google searches. (Actually, it was a bit more than that, but let's take your claim at face value.) I wanted to see just how obvious it all was from the body of the email, or even from the whole email, including the headers.

      I quickly formed the opinion that the connection between ITN International and BlackHat is _not_ obvious, even if you go out of your way to look.

      In fact, the top results - which admittedly have changed now the blogosphere is picking up on this - from searching for the two company names together were of the "Blackhat phish mail sample" sort.

      I stand by my words. This was not the sort of mistake to make at any time. I think I can say that _and_ congratulate BH on being open, honest and quick in its response, and be right in respect of both. As for your claim that there was "no loss of control" - even BlackHat seems to disagree with you in that regard :-)

      This was, as the headline suggested, a gaffe. Sure, we can all stand down from puce alert...but many of us probably ought to go back to our CISOs and ask, "Is this one of those 'there but for the grace of God go I' stories for _us_?"

      • topiary · 767 days ago

        could there be a breach happened at ITN? that's a possibility too if the first comment is right that there ITN had access to all the emails of the people coming to black hat 2012

        • Paul Ducklin · 767 days ago

          BlackHat - with a gutsy attempt at humour - officially ascribes the gaffe to incompetence, not to malevolence. (Check the "confessed and explained" link above.)

          Of course, if you'd just forked over $2500 to attend a commercial security conference you might wonder why your details and the "email everyone a password" system were apparently entrusted to a volunteer :-)

  2. Anonymous · 767 days ago

    What is however of more interest is the name in the link 'svel1023' - which prior to every crawler picking up the article was the top google hit for a russian android market forum user's name...

    hxxp://androidmarket.ru/forum/index.php?/user/12659-svel1023/

    Now I wonder how *that* got into this 'accident'...

  3. Kim · 767 days ago

    Naw, someone who didn't know what they were doing clicked "Reply to All" at some point and exposed everyone's email addresses.

    Based on my experience...

    • Paul Ducklin · 765 days ago

      Not according to Black Hat. You need to read the "confessed and explained" link above.

      The offending emails really did come from an official system put in place to provide the feature, amongst others, of sending exactly this sort of email, just not quite like this.

  4. Some of the artifacts in the email and that snapshot of the event management interface give me cause to wonder about the quality of the software and service provided by ITN, and blaming one volunteer may be a bit harsh.

    The email template portrayed is clearly intended for genuine password resets, but it was possible to create a mailshot applying it separate from any actual reset process, and without the system balking at the lack of required interpolation variables. The text "Your admin password" and the URL with its terse path and unqualified hostname (the same host as where the mail was generated, on a private IP range, per headers) point to the template being intended for those operating the event management system (volunteers and others) rather than event attendees - but it was further possible to inappropriately apply it to the attendee list.

    A bulk password-change email should be a rare event, and one which should be available only to certain experienced users (ones without those "idle hands"!) which suggests poor management of role-based access. The emails were sent out using the corporate address of an ITN developer - not even a marketing contact - suggesting a hard-coded remnant of non-production code. The explanation from Black Hat says that a better screenshot would actually result in email being sent, which sounds like it might be easy to do accidentally - was there no screen to ask "are you sure you want to send this mailshot to 7528 registrants?" ?

    If you leave dangerous and poorly-implemented features in software to be operated by volunteers unfamiliar with the system, you train them well first. No, wait - you just Don't Do That Thing.

    • Paul Ducklin · 765 days ago

      Errrr...."what he said". Very nicely summarised.

      (I too was perplexed by the "we couldn't take a better screenshot without sending you all another email" bit. I've heard of malware which sneakily takes over system-defined key sequences like Alt-PrintScr, and of utilities which add features to the screenshot process. But I've never heard of a combination password manager/spam cannon which is triggered by the print-screen command. One shudders to think what such a system might do with Ctrl-Alt-Delete :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog