Important News! – We explain how hackers can take control of your data through your RSS feeds in this clever RSS hack.
Vissensa have been providing products and services for a number of years to ensure organisations are as protected as possible from cyber security and zero-day hacks. As a business, we’re proud to continue to ensure the safety of our clients and advocate a proactive approach to threat management and protection.
We constantly monitor and evaluate the security market and regularly release information about new threats and the tools to combat them.
The vulnerability in this hack – centred around our busy lives and our use of mobile technology. Or penetrating home networks to break through the defences designed and implemented to stop phishing attacks.
It begins with the “change your password” type message from a bad actor that looks official. Its incredible that this method of harvesting a user’s id and password still works, but is understandable if the security policy allows changes on devices without authentication to occur.
Once the bad actor has the user’s password, they then begin what is a very clever and sophisticated hack.
To start, they are not locking up laptops or systems asking for money. They are not starting a download of the organisations folders and files which could be detected by the corporate security tools in place. (This action could alert the security team and the hack would be automatically blocked.) Like all well planned attacks, they have designed a way to operate “in the clear”. It all takes place in full view of the user, right under their noses. This mirrors the major attack on Solarwinds’ clients last year, where code was changed to be able to hack certain sites, but no adverse effects were detectable within the security perimeter.
The bad actor logs on to the email account of the unsuspecting user – using their credentials, unknowingly supplied to them by that user themselves. They are probably logging on at a time they know the user will not be, like in the middle of the night.
Again, the bad actor is relying on hitting one of the thousands of users or companies that still don’t believe paying for security products and services is cost effective or not necessary and have not implemented simple security measures such as having two factor authentication.
This raises the million dollar question:
When was the last time you reviewed your user “rules” option in your email product. For Microsoft Outlook users it appears on the ribbon on the top of the screen. I’m expecting many of you reading this are saying “what rules option” and a few more saying never. I was in the second camp.
Step three, the bad actor is in the account, they set up this “operating in the clear” hack. They head for your rules option and they create a new rule. It’s something all users have the option to do and it allows users to filter their mailboxes to new folders within the system or forward mail to other mailboxes. Microsoft even provides a slick user interface and allows you to select how you want a rule to operate from a menu, so you don’t have to review or edit these rules by hand. All standard stuff right?
But the hacker creates the rules they need and leaves knowing that the chances of the user actually going into the rules option and reviewing current rules is slim to none.
The bad actor never logs on to the user account again. The user may even change their password several times after the rule insertion, never knowing the hacker has what they want.
OK, I hear all you Tech heads saying “all well and good but the forward of mails, particularly outside the organisation would be more visible and easier to spot. Well, the user might also be able to spot that the outbox is sending mails to someone they don’t know and discover the problem. Sending via email is also an extra danger for the hacker as the outbound mail is pointing at an email address that could be tracked.
Remember I said the best hacks are those operated in the clear? Well, here is the final step:
RSS feeds (Really Simple Syndication) are used to publish information and alert subscribers of new content or information being published on the internet. Good examples of this are breaking news on the BBC or CNN that can be subscribed to.
The alert is usually a pop up on the user’s screen and a URL or pointer to the information.
The bad actor uses the RSS infrastructure and creates an RSS feed just for them, named something that is not easily searchable by others and sits and waits for the incoming mail to the unsuspecting user’s inbox or outbox to arrive or be sent. Their own personal RSS feed, directly from your mailbox!
Each mail is now being forwarded by the RSS rule to the hacker. They just sit back and wait for the “ding” from the RSS feed saying you have new content. All occurring as the user and the user’s security systems are oblivious to the transmission. Every time a piece of “interesting” information arrives with the hacker, they can act on this new information at leisure, or sell it on the dark web. This information includes: new employee details, user ids, important people in an organisation to launch a spear phishing attack against, passwords that are sent over email, bank and payment details, or indeed anything that is being sent or received by email.
It’s happening right now and people are being scammed because of this very clever hack. If you want to know more about preventing this type of attack, or just want to refresh your understanding of the steps that you can take to protect yourself, download our free 10 step guide to cyber security here.