November 19, 2012, 2:56 PM — Is everything a potential security vulnerability? Is there nothing that a security manager shouldn't look at with suspicion?
At issue: A phishing attack gets through to 900 users on a single email distribution list.
Action plan: Find out how many email distribution lists are externally available.
What, for example, could seem more innocent than an email distribution list? Such lists are convenient and ubiquitous, and in a company of any size at all, indispensable. They let you send an email to everyone in, say, marketing, by just putting the name of the marketing group in your email's "to" field. You don't have to worry about leaving anyone out, as long as your company's Exchange or Notes administrator sees to it that the lists are kept up to date. They certainly don't seem suspect.
Last week, however, distribution lists were implicated when we looked into something that turned out to be a rather brazen phishing expedition.
It started with the help desk receiving emails from several employees complaining that they were unable to access our company's payroll website and that they had gotten emails stating that either the certificate used to access the payroll site had expired (and they needed to click on a link to validate the certificate) or the password for the site had expired (and they needed to log in to change the password). That sounded like phishing to me, and sure enough, when I moved my curser over the link in the email, a very different Web address was displayed.
Wanting to know more, we investigated the link. What we found was that any user who had done the same was encouraged to install a file. We then downloaded the file in a secure environment for forensic analysis and identified it as a piece of malicious software for connecting to a site in China. It looked as if the idea was to trick unsuspecting users into making their PCs available to a command-and-control network operated out of China. Fortunately, our endpoint protection client is able to detect the software and prevent it from executing. Unfortunately, at any given time, about 6% to 7% of our desktops are not protected or haven't been updated with the proper pattern files, so there is the possibility that some machines on our network are now zombies.
But what does any of this have to do with distribution lists? Well, the phishing email was sent to an externally available distribution list with more than 900 users. That made it easy for us to determine which machines might be compromised, so we'll be able to check each one and make sure it has the proper endpoint protection client installed.
Rein In Those Lists