Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Thursday, 6 April 2017

Back from the Dead

Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I've signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me "J" as he didn't have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I'll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It's surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we've been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

No comments:

Post a Comment