Shall we say… Good bye, phishing queue? Part 2

Posted on by

In my older piece I argued that we should stop caring about phishing alerts. Of course, it was a bit of a parable…

Still, there is a lot of quick wins I described there that can be implemented/incorporated into phishing workflows easily – as long as you have some sort of automation/SOAR in place…

As I mentioned back then, any emails marked as phish that come from all these ‘noreply’, ‘no-reply’, ‘donotreply’ mailboxes coming from well known domains can be (most of the time) auto-closed w/o any investigation…

Easy to say, but what are these really…?

While I have personally collected a long list of these nothingburger email senders before, I got curious how many of these generic ‘do not reply’ type of email accounts are really out there, and not within a single company’s scope, but in general (that is, just email account names hosted on popular domains that belong to the ‘do nothing’ category).

If asked about listing these passive account names from the top of your head I bet you would start with ‘noreply’, ‘no-reply’, and all the variants of ‘donotreply’, then you would perhaps follow with ‘contact’, ‘info’, ‘abuse’, ‘webmaster’, and so on and so forth, but … this is just a guesswork. I thought this approach was too speculative and that we can build a more more comprehensive list of these w/o guessing. And mind you, this IS a very difficult request to fulfill. Unless you work for a company working in the mail security business, that is…

And since I don’t, let’s get creative…

I wrote a quick & dirty script that goes through a batch of files containing email addresses extracted from various public e-mail dumps. It reads them one by one and it tries to extract some basic stats about them. A lot of results are quite boring and non-actionable, many are discarded ‘on the fly’, but after running it for a few days, adjusting it here and there, my goal of building an _inaccurate_ histogram of the most commonly used do-not-reply account names started to bring fruits. And while I am writing this, my script is still running, but there are a lot of juicy results already, so I am going to share them below…

Before I do so, let me help you with an interpretation.

For every account name I am listing, try to find out if any of these come from the domains that are generally trustworthy. And the good news is — chances are, many of them contribute to your phishing alert volumes!

For example, a noreply@facebook.com is trustworthy, but noreply@skdjfhskdjfgj.com is not.

Now that we have all these pieces of information in place, let’s look at the actual list of email accounts of ‘no interest’:

  • info@
  • mail@
  • admin@
  • net@
  • office@
  • sales@
  • contact@
  • master@
  • life@
  • best@
  • webmaster@
  • email@
  • home@
  • support@
  • purchase@
  • myspace@
  • boss@
  • sample@
  • style@
  • smile@
  • av@
  • online@
  • accounts@
  • design@
  • box@
  • test@
  • web@
  • service@
  • www@
  • world@
  • null@
  • bill@
  • live@
  • no@
  • post@
  • game@
  • hot@
  • off@
  • new@
  • marketing@
  • all@
  • spam@
  • shop@
  • club@
  • demon@
  • sex@
  • org@
  • hi@
  • team@
  • kontakt@
  • student@
  • house@
  • games@
  • here@
  • work@
  • city@
  • job@
  • fly@
  • free@
  • hello@
  • weber@
  • top@
  • fun@
  • user@
  • money@
  • player@
  • auto@
  • personal@
  • price@
  • link@
  • time@
  • beauty@
  • manager@
  • geo@
  • manu@
  • seo@
  • jenkins@
  • project@
  • dummy@
  • photo@
  • business@
  • company@
  • records@
  • show@
  • productions@
  • foto@
  • legend@
  • dev@
  • space@
  • cash@
  • miles@
  • first@
  • bot@
  • help@
  • core@
  • facebook@
  • beer@
  • blog@
  • unit@
  • agent@
  • song@
  • flash@
  • opt@
  • list@
  • noemail@
  • gaming@
  • secret@
  • ads@
  • travel@
  • market@
  • football@
  • speed@
  • trade@
  • mini@
  • freedom@
  • services@
  • postmaster@
  • ebay@
  • corp@
  • staff@
  • unknown@
  • lost@
  • bug@
  • login@
  • moto@
  • editor@
  • sound@
  • force@
  • vkontakte@
  • wizard@
  • english@
  • people@
  • party@
  • abuse@
  • dhl@
  • fedex@
  • ups@
  • studio@
  • play@
  • submit@
  • biuro@
  • yahoo@
  • soft@
  • account@
  • booking@
  • kids@
  • adidas@
  • system@
  • expert@
  • freelife@
  • forum@
  • mailbox@
  • photography@
  • fantasy@
  • production@
  • administrator@
  • designer@
  • chef@
  • inbox@
  • official@
  • social@
  • minecraft@
  • shopping@
  • paypal@
  • united@
  • entertainment@
  • customerservice@
  • creative@
  • consulting@
  • reception@
  • invitado@
  • consult@
  • vision@
  • away@
  • network@
  • education@
  • robot@
  • nomail@
  • nothing@
  • digital@
  • solutions@
  • taxi@
  • training@
  • noreply@
  • today@
  • agency@
  • purchasing@
  • security@
  • commerciale@
  • community@
  • studios@
  • connect@
  • newsletter@
  • nobody@
  • food@
  • youth@
  • oops@
  • construction@
  • society@
  • registrar@
  • transport@
  • audio@
  • nospam@
  • member@
  • junkmail@
  • secretary@
  • enquiry@
  • surveys@
  • articles@
  • enterprise@
  • bookings@
  • segreteria@
  • information@
  • communication@
  • commercial@
  • event@
  • photos@
  • yourmail@
  • central@
  • inform@
  • tours@
  • operator@
  • factory@
  • direct@
  • import@
  • realtor@
  • misc@
  • xpress@
  • virtual@
  • premium@
  • amazon@
  • capital@
  • research@
  • exclusive@
  • biznes@
  • oracle@
  • corporation@
  • summit@
  • inquiry@
  • daemon@
  • massage@
  • officiel@
  • associates@
  • culture@
  • cartoon@
  • navigator@
  • platinum@
  • poczta@
  • sazonova@
  • redaktion@
  • local@
  • website@
  • partners@
  • johncena@
  • realestate@
  • firefox@
  • resident@
  • advertising@
  • anonim@
  • source@
  • technik@
  • response@
  • mobility@
  • traffic@
  • custom@

There are many more and I recommend that you look at your phishing queue and analyze senders, and people who are too trigger-happy to submit phish reports to your SOC. Stats like this can give you plenty of opportunities to both automate auto-closures, and educate trigger-happy users.

The art of cutting corners

Posted on by

I love ROI-driven solutions and this post is about one of them. My personal cybersecurity consulting practice exposed me to many different types of ‘IT security’ jobs over last 13 years and today I will describe one of them…

Nearly a decade ago one of my clients contacted me saying that they got a USB key that belonged to their client, and their client was interested in regaining the access to the device’s content after they forgot the password.

Hmm interesting…

This was not your random USB key, but a removable device that was specifically designed to encrypt its data by default. As an input, I got a forensic ‘image’ of the USB key, plus some basic info about its vendor, and that was it – so I quickly googled around, and immediately realized the company that produced it was out business for a while…

Before I could even begin I was shot down.

To access the content of the device one needed to run their software (that was luckily present on the key in an unencrypted form), provide the password, and then the actual content of the key would be decrypted and mounted as a separate Windows device. I may not be remembering everything as it was, but the bottom line was that I got an image of an encrypted USB key and had to find a way to crack its password.

The software handling the decryption process was a mess. It was on the complexity level of today’s Rust, Go, Nim binaries – written in a language that was not very commonly used, very high-level, lots of dependencies and hard to analyze statically – definitely no dedicated tools to support analysis (I know I am vague, but it was long time ago – it could have been Visual FoxPro or something like this, I really don’t remember!).

After a few hours of static analysis in IDA I threw a towel and decided to take a different approach. I was hoping that a person that was using the encrypted key was using some simple password that is easy to remember.

So, I build a dictionary of popular English words, then ran that weird decryption software, and finally wrote a very rudimentary AutoIt script that would fetch a word from a dictionary text file (dictionary) one by one, save it to a log file in each iteration, then push it to the UI control of that software that was handling the password input, then send a key that would simulate someone pressing an ENTER key…

Luckily, the software didn’t have any anti-brute-force mechanisms built-in so I just let it ran over night. To my surprise, next morning I discovered the password was cracked!

It was a simple 5- or 6- character long English word, if I remember correctly and once I found out I was immediately ecstatic! I quickly relayed the message to my client, they did so to theirs, and we all ended up being happier and richer that day…

Is there a lesson there for us?

YES!

Sometimes stupid solutions work. You don’t need to understand everything. It’s good to be driven by ROI principles. The art of ‘hacking’ is elusive.