-
December 20th, 2007, 03:07 AM
#11
Junior Member
Originally Posted by lazy13
Maybe you can tell him to send you mail with a photo from a webserver owned by you.
Then you can add a script that will log all the ips who are downloading this photo and you ll see whether someone intercepts his mail.
Then you can track the ip who viewed your photo and his mail
its my 2nd post so be gentle
Not a bad idear, for a second post We dont own the webserver...
MrEsco
-
December 20th, 2007, 03:12 AM
#12
Junior Member
Originally Posted by xiphias360
Well, on to your options. I think the most used technique to find a leak is by sending false information and seeing if your suspect picks up on it. This is used by even the most un-tech savvy of computer users. Putting something in an juicy or interesting in an email and then casually bringing it up later in a conversation and seeing if the suspect lets out more than you have told him.
But if the person is using some cheap online email account you can add an IP/timestamp logger to your emails. Actually, depending on how you used it, it could probably work in the best of online email accounts. Anywho, here's the gist: you make a small perl script that does the following,
open log file;
store a line like "$ENV{REMOTE_ADDR} (ip of whoever opens the email) opened the email at $timestamp\n";
close log file;
open image file;
get image file;
print image file;
close image file;
This is something i used to use and it works. But today, sites like gmail automatically block images in emails, just like outlook, unless the user clicks a link to show the images. So if that's the case, you can create an email where the main focus is the data on some graph or other interesting image that would cause the user to download the image.
I had a pretty nice program back in the day. I modified my .htaccess so that .gif extensions were associated with cgi scripts (just to add to the realness ) and i used sendmail to alert me whenever the image was triggered as well as logged everything to a file.
Good stuff, but now some root cause analysis... what is the common used way to 'hijak' an emailadres?
Thx for the input... i will razzle and dazzle them at the meeting of tommorow... for shizzl
MrEsco
-
December 20th, 2007, 05:59 PM
#13
Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum. But as far as a common used way, there is none. It's not like you can just launch stealthisaccount.exe -a bob@thecompetition.com and instantly have an account. It's more like invading a country...
-
December 20th, 2007, 06:36 PM
#14
[rant]
he accuses his ISP of forwarding his email to the competition.
:sigh: The problem is your client's an idiot. Why is it people who know nothing whatsoever about IT are always so unwaveringly convinced that they know the cause of the problem and who's at fault?
[/rant]
I seriously doubt you have a hacker on your hands. I'd bet you 95% that the problem is either:
1) Someone internal leaking info, or
2) User error.
Either way, I'd lay money on a people problem, not a system problem.
To echo the above poster, there is no "common way" to "hack" email. You're looking at a question with dozens of solutions.
-
December 20th, 2007, 06:39 PM
#15
xiphias360
Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum.
Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.
If you have any concerns about what you might want to post, please feel free to PM me or any other Mod or Admin. We do believe in full disclosure, but it is "responsible" full disclosure.
What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.
Now, this may not even be a true "IT" issue. We could have a "mole" on the inside, his client's greed might have encouraged him (the client) to accept a "trojan horse" account (proper use of Trojan Horse there......... had to read that stuff for my ancient Greek exams )
I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special"
Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?
Keep chipping away at the boulder folks
-
December 20th, 2007, 09:01 PM
#16
Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.
Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.
So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? ) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.
Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.
But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.
Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.
There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.
-
December 21st, 2007, 02:17 AM
#17
Junior Member
Originally Posted by xiphias360
Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.
Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.
So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? ) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.
Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.
But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.
Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.
There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.
Guys,
The trojan/rootkit posibility has been explored, nothing has been found... we took the computers almost completly apart, sector by sector
At this moment we're looking into human aspect of this so called 'hack' and it looks like the client is just paranoid. Am just getting my facts straight, i know that attacking an emailserver needs some skill and a lot of free time...
It would mean that the attacker has an clear image of his target, is it possible to discover with a trace route wich server the sender is using?
or is it a bit complicater then that?
Kind regards,
MrEsco
-
December 21st, 2007, 02:26 AM
#18
Junior Member
Originally Posted by nihil
Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.
Thx for the concern but am not intrested in de scribbiedidlydoo tools. Am more intrested in 'global' views so we can protect ourselfs against it.
Originally Posted by nihil
What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.
It looks like (if its true) an ilaberate and well organised effort but i doubt it... to many holes in the story of the client. We just need to cover all angles.
Originally Posted by nihil
I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special".
General email
Originally Posted by nihil
Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?
Keep chipping away at the boulder folks
-
December 21st, 2007, 08:19 AM
#19
-
December 21st, 2007, 03:47 PM
#20
One possible idea would be to have your inbound/outbound mail routes through a secure hosted machine elsewhere (outside the ISP).
Ensure that mail in and out only goes via that host, and is encrypted in both directions. That machine can then act as an "MX" record for the customer's domains.
Some hosted email security services already provide such a system; I work for a company which does just this.
If you're using this, even if the ISP's routers were compromised, your email is still safe.
Slarty
Similar Threads
-
By Outer_Heaven in forum Newbie Security Questions
Replies: 30
Last Post: January 5th, 2005, 03:13 AM
-
By pwaring in forum Other Tutorials Forum
Replies: 60
Last Post: October 22nd, 2004, 09:15 PM
-
By Owmen in forum Microsoft Security Discussions
Replies: 14
Last Post: September 26th, 2004, 05:53 PM
-
By TechieChick in forum AntiOnline's General Chit Chat
Replies: 8
Last Post: February 11th, 2002, 08:30 PM
-
By suzkaw in forum Newbie Security Questions
Replies: 4
Last Post: February 4th, 2002, 03:37 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|