For the purpose of mass spamming or spear phishing, hackers use a module available in Metasploit that pulls email accounts of a particular organization from 'Google', 'Bing' and 'Yahoo'.
Hackers find it useful to perform online password attacks later on--it is important to know the IDs or usernames to before commencing the cracking process--during targeted attacks. As I mentioned, the list of email addresses can also be used for the purpose of mass mailing, phishing, or spear phishing.
So I conduct a such a test to pull email addresses from an organization of interest to me. First, I list all the options available to me relating to this module--using a standard Metasploit command 'show options'
Then, I set the 'domain' of the organization and the 'output' file where I wants the results (email addresses) saved, and 'execute' the module.
After a while, these are the results given back to me:
Bots crawl over the Internet looking for email addresses. In order to avoid being spammed, a mitigation strategy is to insert the email address in a graphic file, or to mention it in a custom format that the bot will not be able to comprehend as an email address. For instance, name [at] gmail [dot] com.
No comments:
Post a Comment