Story of a dot (.): Dramatic Cyber Security Events (Gmail, Aadhaar, IDFC, Spam, Password Cracking, Me & Python)
As 2018 is going to be over in few days, I thought why not end this eventful year by sharing an interesting story which is real, technical and educative. The main actor of this story is “spam” email. Yes, spam email, which can be defined as any “unsolicited messages” which are sent in bulk and is the result of cheaper email based marketing. Many of you would have getting such emails, which sales you products that you never wants or wished for, gives you suggestion on the topics which no way related to you. One particular type of spam email is related to banking and finance which is also known as “Phishing email” which is totally different from spam emails but all such emails are not for phishing. Funny thing is, we get email from such bank, in which we never had an account, and they send approved loan notification, credit card approval etc. emails to us. Google tries very hard to filter out such emails (spam and phishing) but attacker somehow bypass such filters and so your mail box end up having lots of such emails on a daily basis.
The Unrelated Receiver : Aadhaar and Bio-metric Authentication
OK, so enough of prologue, Like many of you I also used to get many spam emails and my cyber security background keep me on alert and I just delete such emails without opening any of these. (Don’t open such emails, opening such emails indicates an active account to the other side people which is a very useful information for attacker or marketer.) All was fine, till I started getting email regarding biometric verification at Aadhaar related services despite I never have used my Aadhaar before. (Aadhaar is an Indian government initiative to provide a unique identification number to each of its citizen. In which registration and verification is done using Biometric methods such as fingerprints and retina. Citizen can use Aadhaar to perform verification (Authentication) for various gov or non-gov services.) Due to the cyber security background, first I considered these emails also as spam or phishing emails and neglected but when such emails were persistently coming then I thought to investigate it.
In the Aadhaar related email, the name was similar to my name (i.e. first name was the same but surname was different) and the four digit of Aadhaar was also different from mine. I was not able to understand why this is coming to my email id. In the verification email, Aadhaar authority i.e. UIDAI has given a help email id, I forwarded the email and detailed the matter in the email but response was not enough to convenience me. Although, I was not satisfied with the outcome but due to work and other involvements, I forgot the matter and so this email and Aadhaar verification things got out of my mind.
The Unrelated Beneficiary: IDFC bank and Customer emails
All banks send emails related to various services to its customers. So, do the IDFC bank but Why I am getting such emails? I never had an account with IDFC bank or I never had any business with IDFC bank. Again, my earlier observation considered these emails as spam or phishing emails. Somehow, one fine day I decided to check IDFC emails and observed that there are emails with pdf attachment claiming to be monthly bank statement. These attachments attract me towards emails because those days I was working with “document-based malware” (I have carried little research work on malware. :)) and thought these would be either phishing emails or malware dropper, in any case I will get some sample to work (phishing detection or malware dropper.) I was careful and so open my email in a control environment and downloaded the PDFs. The email body claims that the pdf is encrypted, and so they have also disclosed the password policy which was simply the “Date of birth” of the customer in a particular format i.e. DDMMYYYY (8 char). I clicked on pdf and on-demand I passed my birthday as password but got error message saying wrong password. Now, I forgot phishing, malware dropper etc. and taken this as a pdf-password cracking problem.
Password Cracking and Python
As password policy was explained clearly and it has a very small search space , so I decided to brute-force and wrote a small script than using any pdf-password cracking tool. Being a Python developer for years, I fired my python environment and wrote the script to crack the password of the pdf file. I used “pyPdf” python module to perform the reading and cracking the password of the pdf file. Within few minutes the script popped out the correct password which was the date of birth of the customer. After passing the resulted value as password the pdf file open smoothly and viola, I have a bank statement of a IDFC bank customer which has plenty of information.
The Connection: Back to Beginning
Among all other information, the most striking information was the name of the customer. The name of customer was similar to my name (does it ring a bell), Yes, the name was same as in the Aadhaar verification email. This triggered lots of questions and challenged me to investigate the matter further. I start reading the email again, and I was surprised ! previously, How, I missed the name, It was the same name as of Aadhaar and pdf statement. So, one thing was clear, these emails were not spam or phishing but somehow ended to wrong destination and So, I have to start further investigation from the “To” address of email. :)
The Climax and The Villain
Clicking on the “show details” option of open email shocked me further. The email address in “To” field looks same as my email id but after a close look I found that all characters are same except that one dot (.) is missing. This dot directly drag me to a past article where I have read about use and misuse of dot (.) in gmail address. The mystery was solved and the dot(.) seems to the villain of the story but still I wanted to be sure and so have to verify same with the original customer (yes, the bank statement have all details i.e. address, phone, balance and more. I can contact.).
The story of dot (.) in Gmail address
After going through the official pages of Google, I found that dot(.) doesn’t matter in gmail address and so if my email address is <exampleajit@gmail.com> no one can have <example.ajit@gmail.com> and all emails sent to dotted version of my email will reach to me i.e. emails sent to <example.ajit@gmail.com> or <exam.ple.ajit@gmail.com> will reach only to <exampleajit@gmail.com>. You can read in detail about dot(.) in the below link (at last).
So, what is the reason of these emails coming to my inbox. After thinking and reading further, I hypothesize that It may be due to that the customer would have given wrong email id to the Aadhaar and the IDFC branch and because these organizations doesn’t verify the email address before starting their services the email is coming to my address. And on the basis of the account balance, I considered the customer is not tech savvy and don’t use email regularly or even if is using his email regularly will not come to know about missing these emails because these are just information, and he doesn’t wait for such emails. Anyway, I will verify the information and will update the same. My conclusion is very similar to the below article where author explains the importance of dot. Many serious attack can be launch because many online service providers use email as safe way to reset and send sensitive information to the user.
https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html
Lesson to be Learn
1. One must be very careful when giving email address for any organization. In case of hand-written form, try to write in upper case (lower and upper case are same for email address) which will reduce the risk of wrong email entry into the system. (The Customer)
2. The service provider must verify any email address before using it for passing information through it to the customer. (The Aadhaar and IDFC). In this case, using reset functionality of both organization a serious attack can be launch to the customer.
3. The organization must use a strong password mechanism to encrypt sensitive file and must not share the password in any medium other than directly sharing with the receiver. (IDFC week password scheme and sharing policy in every email.)
4. User must be very careful when create a new email address on gmail or any other email service provider and try to avoid confusing character.
Note 1: The purpose of this article is to just inform the audience about this cyber security issue and there is no intention to harm anyone in any way. In case of any such issue, please let me know.
Note 2: The English proof-reading of this article is not done so, the article might have grammatical errors. Pardon me.
