No, Gmail did not just break all open tracking
I was avoiding commenting on the email open tracking bad take that seems to be going viral round the more gullible corners of LinkedIn.
Read MorePhishing and authentication
This morning I got a rather suspicious message from a colleague on LinkedIn.
B2B mail and compliance failures
This morning I got an email to a tagged address. The tag matched the company so it’s very likely I did actually sign up. Digging back through my mailbox, I see one previous email to that account – back in 2008.
Read MoreSocial media connections are not opt-ins
It seems silly to have to say this, but connecting on social media is not permission to add an address to your newsletter or mailing list or prospecting list or spam list. Back in 2016, I wrote:
Read MoreAppending in a nutshell
A few months ago a colleague sent me, and every other person on his overly large LinkedIn list, an email looking for some help hiring. It starts off with “Greetings LinkedI Connections” and ends with… an unsubscribe link.
Read MoreLinkedIn addresses frequency issues
Yesterday LinkedIn announced they’re decreasing the amount of mail they’re sending to users.
Read MoreLinkedIn shuts down Intro product
Intro was the LinkedIn product that created an email proxy where all email users sent went through LinkedIn servers. This week LinkedIn announced it is discontinuing the product. They promise to find new ways to worm their way into the inbox, but intercepting and modifying user mail doesn’t seem to have been a successful business model.
Read MoreCompromising a Mail Client
Your entire work life is in your work mail client.
All the people you communicate with – co-workers, friends, family, vendors, customers, colleagues.
Every email you send. Every email you receive. Any files you attach or receive.
If someone can compromise your mail client, they can see all that.
They can save copies of all your emails, data-mine them and use them for whatever purpose they like. They can build a view of your social network, based on who you exchange emails with, and a model of who you are, based on what you talk about.
That companies like Google do this for “free”, advertising supported webmail shouldn’t be much of a surprise by now – but your corporate email system and your work email is secure, right?
What if an attacker were to set up a man-in-the-middle attack on your employees? Install malware on their iPhone, such that all traffic were transparently routed through a proxy server controlled by the attacker?
Or they could use a more email-centric approach, configuring the compromised mail client to fetch mail from an IMAP server controlled by the attacker that took the employees credentials and passed them through to their real corporate IMAP server – that would let the attacker completely control what the compromised user saw in their inbox. As well as being able to read all mail sent to that user, they could silently filter mail, they could deliver new mail to the users inbox directly, bypassing any mail filters or security. They could even modify the contents of email on-the-fly – adding tracking links, redirection URLs or injecting entirely new content into the message.
Similarly, the attacker could route all outbound mail through a man-in-the-middle smarthost that copied the users credentials and used them to send mail on to their real corporate smarthost. As well as being able to read and modify all mail sent the attacker could also use that access to send mail that masqueraded as coming from the user.
Sounds like the sort of thing you’d expect from criminal malware? Not quite. What I’ve just described is Intro, a new product from LinkedIn.
LinkedIn will be asking your users to click on a link to install a “security profile” to their iPhones. If they do, then LinkedIn will have total control over the phone, and will use that to inject their SMTP and IMAP proxies into your users mailstreams. The potential for abuse by LinkedIn themselves is bad enough – I’ve no doubt that they’ll be injecting adverts for themselves into the mailstream, and their whole business is based on monetizing information they acquire about employees and their employers. But LinkedIn have also been compromised in the past, with attackers stealing millions of LinkedIn user credentials – if they can’t protect their own users credentials, I wouldn’t trust them with your employees credentials.
You might want to monitor where your employees are logging in to your servers from – and suspend any accounts that log in from LinkedIn network space.
Edit: Bishop Fox has looked at Intro too, and come to similar conclusions. TechCrunch too.