Dial Home Docs

[allen.deryke at hushmail.com (Allen Deryke)]

I admit, it does take some social engineering for both cases to work.

You just need to make the webcontent seem critical to the message. In  
an email a sentence like "your new acess code is:" followed by you  
bugged image.

Have it set up so that if the macro isn't run make the excel data seem  
invalid, mess with formating ect.

-- Allen Deryke

On Sep 21, 2009, at 10:33 AM, Adrian Crenshaw <irongeek at irongeek.com>  
wrote:

> I've done the webbugs in emails before, the problem is anymore most  
> email clients seem to turn off image loading by default.
>
> Adrian
>
> On Mon, Sep 21, 2009 at 10:07 AM, Allen Deryke <allen.deryke at hushmail.com 
> > wrote:
> Yeah, but excel prompts about this stuff so much that most people  
> would just click "ok".
>
> Also links to external images in emails or docs is a great way to  
> pull this off.
>
> -- Allen Deryke
>
> On Sep 21, 2009, at 9:47 AM, Adrian Crenshaw <irongeek at irongeek.com>  
> wrote:
>
> > But would that illicit a warning?
> >
> > Adrian
> >
> > On Mon, Sep 21, 2009 at 3:23 AM, Dimitrios Kapsalis <dimitrios at gmail.com 
> > > wrote:
> > The only way I can think of this occuring in a word doc is to write  
> > a macro.
> >
> > The macro can just ping your box, this should be enough to get the  
> > IP.
> >
> > On Mon, Sep 21, 2009 at 2:56 AM, Andrew Ellis  
> > <only.samurai at gmail.com> wrote:
> > You could add a tab to firefox's default tabs (the ones it loads on a
> > new session) that points to a webserver you control. Eventually, the
> > stolen laptop's new user will open firefox anew and you'll have the
> > new IP. Obviously if the person stealing your box mounts the drive
> > rather than logging in, this won't help.
> >
> > -andrew
> >
> > On Sun, Sep 20, 2009 at 3:49 PM, Adrian Crenshaw <irongeek at irongeek.com 
> > > wrote:
> > > I recently had a conversation with an author about webbugs, and  
> > it brought
> > > another idea to mind. I seem to remember John Strand saying  
> > something about
> > > Val Smith doing something with detecting insider threats by  
> > leaking a
> > > document and seeing who opens it. (sorry I can't remember more).
> > >
> > > Here is the question, anyone know how to make a doc/docx/pdf load  
> > something
> > > from an external site so you can at least find the ip of someone  
> > who opened
> > > the document?
> > >
> > > Thanks,
> > > Adrian
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > Andrew Ellis
> > http://www.samurainet.org/blog
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090921/68c75984/attachment.htm