Security professionals in companies sometimes perform exercises like and internal phishing campaign.
Along those lines, the professional may have used the open source penetration testing tool called Jigsaw. The tool enables security teams to automatically generate email address combinations from a minimal amount of public information.
As with other open source security and networking tools such as Metasploit, Nessus and Nmap, attackers can use the devices for their own purposes. Jigsaw now seems to be falling into that category as researchers at RSA Security’s FraudAction team said they’ve seen it in use in attacks.
Jigsaw is a Ruby script-based email enumeration tool that accesses the Jigsaw business directory. It generates email addresses in one of four popular naming conventions from information available in the database. The Jigsaw directory, meanwhile, is a cloud-based real-time database primarily crowdsourced. More than 27 million business contacts and four million company profiles are in the directory, which ends up maintained by more than one million users. It’s a rich hunting ground for cybercriminals, and an important tool for pen-testers and enterprise security teams assessing the awareness of employees to the dangers of email-based spam and phishing campaigns.
RSA principal malware scientist Christopher Elisan said researchers from its fraud intelligence team saw a version of Jigsaw used in attacks. Elisan said new features added to the tool last November enhance the granularity of business contact data returned in the final output, such as a target’s username, as well as the addition of HTTPs support for database requests.
The Jigsaw tool is intuitive. A user simply enters a search argument such as a their target company name and the tool returns all of the companies it has knowledge of with that name plus the number of employees listed, and the company’s Jigsaw directory ID. Knowing the ID, an attacker, for example, can get much more granular and find employee names per department, for example, based upon what’s available in the directory. The attacker then supplies the tool with a domain name of the company and the Jigsaw tool generates a list of possible email addresses.
“One thing the directory doesn’t have is the employee’s email address,” Elisan said. “What Jigsaw does is generate email addresses for you. The way it does that is that it uses four common formations used by companies as log-ins and attaches those to the supplied domain name.”
Since an attacker may not know the target company’s particular email convention, the Jigsaw tool will generate a list of email addresses using either first letter and last name, first name dot last name, first name first letter of last name, and last name first letter of first name appended to the domain name supplied.
“All of the information is displayed to the attacker who can save it to a CSV file that will contain an employee’s name, department and crafted email addresses based on the formats added to the domain,” Elisan said. “The CSV file is then fed into an automated system. That list also comes with a configuration file that can be fed into a botnet.”
Royce Davis, one of developers of Jigsaw, said organizations need to think hard about the information they share online and in other forums.
“In the case of the Jigsaw database, I do not believe companies are intentionally providing their information. I believe the records are harvested from business cards which get handed out like candy at various conferences and public gatherings,” Davis said. “What I have shown with my tool is that an attacker doesn’t need to necessarily obtain a user’s email address. Simply obtaining their first and last name is often enough to craft a valid email address. For this reason I would recommend that companies become more creative with their username conventions. For example, the first and last initial combined with a unique identifier could look like ‘email@example.com.’ This would be much more difficult to guess then the more traditional ‘firstname.lastname@example.org.’ ”