Re: Linked-in and its Phishing-like contacts option!

[Magosányi Árpád <mag () magwas rulez org>]

On 04/23/2013 01:30 AM, Mathew Want wrote:
> Hiya all.
>
> Has anyone else noticed the option to see who else they know is
> connected on Linked-in? Have you noticed that if you click on the
> outlook button it asks you for your WORK EMAIL PASSWORD!!!!!

It's just plain bad luck. Not everyone uses outlook :)


[...]
> Am I the only one that think this is a touch negligent on the part of
> Linked-in? Or should I just accept that it is corporate facebook,
> accepts that they have the dame moral fibre and move on?

Indeed it is the corporate facebook. And it is a very good example to be
used in a security awareness pamphlet. Nice opportunity to show the
policy ("don't do that"), and the possible attack vectors associated
with it (e.g. fake linkedin phising page).
Providing your personal address book is a matter of trust between you
and LinkedIn (I personally don't have that much in any online entity as
a matter of principle).
Providing the work one is a matter of trust between your employer and
LinkedIn.

Let's make the discussion relevant here:
I guess this particular case could be yanked off with a simple url
filter on the corporate firewall.
Is there a public pattern database for these kind of URIs?

I have failed to figure out from page source how the actual address book
fetching works with a short look. I guess that would provide for smarter
ways for blocking this kind of attacks. Any good ideas?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards