The annual BlackHat conference in Las Vegas prides itself as “the best and biggest event of its kind, unique in its ability to define tomorrow’s information security landscape.”
But this year’s event has kicked off with a giant security boo-boo.
(This wasn’t the sort of mistake to make at any time, let alone to an international army of geeks – paying geeks, at that! – who are in the process of heading to your event.)
The story started over the weekend as BlackHat 2012 delegates – and only delegates, as quickly became obvious as recipients compared notes – started to get emails like this one:
From: BlackHat 2012 [mailto: firstname.lastname@example.org] Sent: Sunday, July 22, 2012 8:58am To: Not Me As Sadly I'm Not Going This Year Subject: Your admin password This is a note from BlackHat 2012. _________________________________ You have requested a new password. Here are your details: Username: Password: To sign in, please go to this URL: https://svel1023/BH12/Admin
Very phishy. Let us count the ways:
- Unencrypted email allegedly containing password.
- Call-to-action to login via link supplied in email.
- Link in email to a site other than BlackHat.
- Email from organisation other than BlackHat.
Perhaps the phishers were hoping that the missing username and password might trick the recipients into logging in to the bogus site with their real username and password to see what was going on?
Fortunately, as a phish, this was never going to work, because of the broken link. (You shouldn’t put unqualified domain names in any URL – it’s lazy and dangerous, for a start.)
The burning questions, of course, were these: how did the phishers get such a targeted list of email addresses? Did BlackHat suffer a data breach? Did they sell their list to a dodgy third party?
Turns out we can all stand down from puce alert.
It was only a sort-of breach, and BlackHat has (to give the company credit) confessed and explained quickly.
Seems that a volunteer at the event clicked the wrong button, or at least clicked the right button in the wrong way. According to BlackHat, the volunteer “has been spoken to.”
Heigh ho. As BlackHat has just been reminded: you can’t outsource your accountability.
And the volunteer’s behaviour doesn’t explain away the phishiness factors listed above. It sounds as though the BlackHat conference might indeed have sent you an email of this sort. Just not this one.
How about your organisation? Could you have made a blunder like this? If so, now would be a good time to revisit your policies and procedures surrounding mailing lists and email blasts!