E-mail has long been used as an effective attack vector for delivering malware and conducting phishing attacks. We get unsolicited and potentially malicious emails like this in our inbox nearly every day, but what really makes an e-mail attack successful has more to do with trust than anything else. If an e-mail appears to be coming from a trusted source, it’s more likely it will be read. Couple that with a well-crafted message asking the recipient to follow instructions, and the chance of success on that attack increases immensely.
While this is an extremely common tactic for financial fraud, it also becomes especially helpful in targeted attacks. Sophisticated criminals looking to leverage email as their attack vector take the time to work on their e-mail deployment technology in the early stages of an attack campaign and are always looking for tools and techniques to refine their process.
The RSA FraudAction intelligence team recently discovered another version of the tool called Jigsaw, a script based tool, that enumerates information about a company’s employees to help with social engineering and e-mail phishing attacks.
So how does Jigsaw work? To start the process, the attacker searches the target company’s name within the tool to find its Jigsaw ID which is assigned to each company in the system (the Jigsaw ID is ultimately the key in harvesting employee names that are publicly available). For example, if a company being targeted is known as Inquirer, a jigsaw search will yield the following, as seen in Figure 1.
The output will show different companies that have the inquirer string in their names, the number of employees in those companies, and their respective Jigsaw ID.
Once the attacker has identified the desired Jigsaw ID , the tool then proceeds into breaking down the number of employees per department as seen in Figure 2.
Each record includes employee names and their departments. Once the attacker has access to this information, they move on to supplying a domain name and crafting e-mail addresses. The attacker can supply any domain name desired but to truly take advantage of user trust and increase the success rate of the attack, the domain name has to match the domain name of the company that is being attacked. Once established, the Jigsaw tool generates e-mail addresses by using different username formats and adding it to the domain name.
Since the attacker may not know the email format adopted by the target company, Jigsaw supports four of the most common username formats:
- <First letter of name><Last name>@<Domain Name> – e.g. firstname.lastname@example.org
- <First name>dot<Last name>@<Domain Name> – e.g. Christopher.Elisan@baddomain.org
- <First name><First letter of last name>@<Domain Name> – e.g. email@example.com
- <Last name><First letter of name>@<Domain Name> – e.g. firstname.lastname@example.org
Once the tool is finished collecting the information and generating e-mail addresses, the attacker is presented with a list of employees containing the following information:
- Full name
- Four e-mail addresses based on the four supported formats
- Four usernames based on the four supported formats
The output can be saved in CSV format to help with automation and allows the attackers to use this list as an input to their e-mail deployment systems. The list of e-mail addresses can be used as targets based on their position in the company or can be spoofed to exploit the trust of the receiver of the e-mail attack vector.
With a list of crafted e-mail addresses on hand containing the names of real people employed in the company, the attacker is in position to launch a successful and targeted attack using social engineering, phishing or even malware downloads.
Jigsaw could prove to be an extremely valuable tool in helping cybercriminals plan more sophisticated email-based attacks. We’ll be keeping an eye on any new developments and will be sure to report back.