During a penetration test, login credentials are a highly sought-after item. While it is common to harvest that information via email scams (phishing attacks), it is not always the most practical or effective tactic to gain unauthorized access. That access, however, still requires a valid set of credentials. This poses a challenge. How does an attacker find valid accounts without social engineering? There are two main options: breached credentials and password spraying.
Personal Data Protection,
Security Awareness Training,
, attackers use
malicious emails to
steal valid credentials
Attackers can use these credentials to begin more complicated attacks, or they can
and sell them
lie about their identity and objectives to
login information from unassuming
or to get them
to download malicious content
emails might ask you to enter your password into a
login page or send
back to the sender
Although these scams are well
known, they are occasionally hard to spot, and they
high rate of success
encounter many of these emails, they may be caught in your
junk folder. If this is the case, your email filtering is working effectively and
removing potentially harmful
There is no reason to recover
phishing emails from a junk folder.
Extortion emails work a little differently
type of attack, the hackers claim to
already have access to some sensitive information. That information could include
anything from login
credentials to embarrass
s. Whatever they choose is something designed to prompt an
and desperate reaction from the recipient.
In the email, they lay out what they have against
then threaten to blackmail them for money.
These types of emails are des
igned to be scary. They are supposed to make the victim feel
act without thinking.
If you ever
threatening extortion email, remain calm and report it
channels. In this post,
down a poorly writte
n extortion email
sent to my junk folder.
Personal Data Protection
As a cybersecurity engineer and an unapologetically enthusiastic “web guy,” I have both a personal and professional interest in finding new exploitation methods. Recently, I found an interesting and creative way to control a browser by exploiting a cross-site scripting (XSS) vulnerability. I learn by doing, so I executed the concept to see it work in practice. Without spoiling too much, I was very pleased with the results! This attack uses nothing more than Netcat and some clever XSS injection code. For those unfamiliar with Netcat, it’s a networking utility that reads and writes data across network connections.
How do you know if you have a solid cybersecurity program? You may have anti-virus installed and you change your computer password quarterly, but how do you know if your security program is truly effective? When you can’t see your gaps, it’s hard to make improvements and even harder to pick up the pieces after a security breach. That’s why Cybersecurity Consultants, like ProCircular’s Andrew Chipman, collect all the information they can, then measure your active security controls against their library of applicable standards.
it risk assessment,
If you’re reading this, it’s very likely that you know how to use the internet. It’s also likely you’ve made an account on the internet somewhere. When you created your last account, what kind of requirements were you forced to use? For a number of web services, these requirements still follow the 2003 NIST SP 800-63 Appendix A standards that recommend an 8-character minimum, containing one uppercase, one lowercase, one digit, and one special character (Ex: Procircular1!).