About password harvesting

This post is publish on 26-Sep-2013 regards the password harvesting concern.

Business Intelligent(BI) is getting popular in due to business expansion.

In order to gain access to BI, hackers need to gain access and password harvesting become an important process.

There are many ways to obtain user security information:

  1. Phishing – create a site with similar URL as branded company and spam email out, and than wait for user to visit their site to input their security information. Like fishing.
  2. Target mail server and send multiple attempt to login.
  3. Create apps(with Trojan) that is popularity and upload to branded smartphone store, and than wait for user to download and install. Once the apps is install, the Trojan will open a backdoor for the hacker to obtain the user security information.
  4. Hack the firewall and router to hijack security information.

Once the hacker manage to gain access to email, corporate portal and sms information, they are able to sell the information as a BI.

For phishing and apps, it is really depend on user talent and public awareness of current affair.

For mail server, it is the mail server administrator skill and user password complexity.

For firewall and router security, it depend on the corporate IT security measurement.

Some hackers do have solution again the brute-force protection security measurement and for those did not have brute-force protection, it is much easy to hack.

Exchange server don’t have brute-force protection, but exchange do have security policy that enable them to prevent some type of password harvesting, but not all.

So far, I don’t see any complete security solution that can totally prevent password harvesting.

Once the hacker gain access to the corporate email and sell it to that corporate competitor, the competitor might redirect the email to themselves and the  corporate might not have a copy of those email redirected.

Lots of corporate business is affected in due to smartphone device and corporate security measurement deficiency.