![]() Nibble used his work email address with the password JackisGreat10! to sign up for LinkedIn before a breach and he is reusing the same credentials for his work account.Įmail phishing has long been one of the easiest ways to breach an organization’s perimeter, typically needing just one user to fall victim to a malicious email. These attacks rely on the stolen credentials being recycled by employees on the compromised platforms, e.g., Jack B. On the offensive side, a few of the most popular use cases for these collections of employee names, emails, and usernames are:Ĭredential stuffing utilizes breach data sources in an attempt to log into a target organization’s employees’ accounts. Common formats are pretty intuitive, but below are a few examples. The employee names scraped (collected/parsed) from OSINT sources can trivially be converted into email addresses and/or usernames if one already knows the target organization’s formats. A scraper is a common term used to describe a script or program that parses specific information from a webpage, often from an unauthenticated perspective. Several awesome automated scrapers already exist for popular sources (*cough* LinkedIn *cough*). The benefits of employee name collection via OSINT are well-known within the security community. We will also be demoing and publishing a simple script to hopefully help the community add to their OSINT arsenal. This post will specifically focus on targeting client contact collection from a site we have found to be very useful () and will describe some of the hurdles we needed to overcome to write automation around site scraping. For our client engagements, we are constantly searching for new methods of open source intelligence (OSINT) gathering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |