Tuesday, October 9, 2007

Phishing Secure Email Portals

Here's a new twist on an old scam:



Lots of companies have implemented some form of "secure e-mail" solution. If you haven't seen this before, a user at Megabank or Gotham Hospital sends you a message about your personal information. Instead of arriving directly over SMTP (which is, among other things, as clear a text protocol as any), you receive a notification via SMTP that tells you to click on a link to a web site (encrypted with SSL) where you can log in and retrieve your message. This is extremely common in the health care vertical because the HIPAA Privacy Rule that went into effect in 2003 explicitly forbids sending personal information unencrypted over the Internet.

So it makes perfect sense that these portals are worth phishing - they are almost guaranteed to contain some sort of valuable data. But it got me thinking about something else. I work in the health care vertical, and we have a secure e-mail solution in place. And when we evaluated products a few years ago, we discovered some sort of session handling flaw in better than half of the products we looked at. Not to mention that a number of the vendors out there support what can only be described as a "letter-of-the-law" configuration*.

Anyway, I wonder if phishing is all that necessary for sites like these. I would bet that there are enough vulnerabilities in enough of these portals that hacking them straight up is a better bet for the criminals that want the dumps to sell on IRC. Especially since some of the third-party products out there are appliances that insist on SSL termination at the appliance. What's that mean to a hacker? A blind spot to the IDS plus permission from the firewall. Oh, and we all know how good the logging on an appliance like that is bound to be.


* In this mode, the portal sends a link that contains a hash of some kind. Send that link back with the valid hash, view the message. Well, technically, the private data's not sent unencrypted. Instead, a link to the private data is sent unencrypted. If you have deployed something like this and you feel that you can justify it, I'd love to hear from you. Obviously there was enough demand for it since most of the vendors in this space have something like it.

No comments: