It’s 21st century, the year 2014 and we are still on ground zero talking about spam emails and attacks like spear phishing. No matter how stringent your controls are, how much you have invest in your “defense in depth” approach, a single human being of your firm clicking a link on an unsolicited email can crumble your empire. This is not at all melodramatic as it sounds. It is for real, is scary and sad. I with this blog post, would wish to take you to one of the easiest way to harvest email addresses.

Before you deep dive in the technical information, I wish to confirm that this vulnerability has been FIXED. Thanks to PAYTM for taking a quick action. Looking forward for such quick response on security concerns. Kudos!

Don’t get this wrong. I wish to share a vulnerability that can be leveraged by attackers to perform/ initiate a spear phishing attack. The website in discussion is paytm.com. There is an information disclosure vulnerability in the main website, and an un-authenticated user can query for a mail address against a mobile number. It means, if you have a mobile number of a person who is a member of paytm, you can find his registered email address on the website. Join these 2 elements, and you can send a targeted email to the victim. Let us dive straight into it. paytm uses the following link as the login page, URL: https://hub.paytm.com/user/authenticate

We come across so many links via social networking websites, and we unknowingly click many of these. The malicious links have catastrophic results and the system as well as yours privacy is either compromised or your data takes the hit. Here is one such analysis of a link dated 17.April.2012 that I came across via Twitter and LinkedIn.

NOTE: All links have been appended with ‘non-clickable’ suffix hxxp:// to prevent mistaken clicks.

Vulnerabilities are increasing by leaps and bounds and any industry – technical or non-technical has to grow its security in sync or else, it is highly vulnerable and lucrative target. There is news of data loss, breaches every now and then. A rough estimate of the growth of vulnerabilities (as reported) over last decade (1995-2008) is shown in Figure 1. This accounts to vulnerabilities as reported, wherein there are hundreds of active (non-reported or un-patched) vulnerabilities floating underground which are in the hands of money driven and black hat profit driven attackers.

It’s the kind of evening that anyone would expect me to be sitting in office for a snacks time conversation. But today due to some power problems, we called the day off pretty early. I was feeling a little restless, so came out and walked into a Cafe Coffee Day (CCD) to have an Expresso. On the table next to me, there is a group of teens discussing about Facebook, Orkut etc. How fast is this culture of Social Networking spreading among the students and the professionals! No wonder the sites like Facebook, Twitter, Orkut, MySpace are generating millions of dollars from our time! What they need from us is a registration, a 1/2 an hour or more of daily login, some online clicks and some chit chat. And in return they get money money and loads of money from the amount of time we enjoy social networking.