One of my recent challenges involves searching data in LDAP directories. After experimenting for a while, I had to test the code. The plan required setting up my own server, configuring it and populating it with some dummy data. I was not enthusiastic about it, because that would extend the scope of the experiment and take a lot of time.

But I got lucky! It turns out there are a lot of public LDAP servers that can be accessed anonymously. In a matter of minutes I was sifting through mountains of interesting data. The juicy part is that the details are tightly correlated - I don't see just emails or just names; I see the name and the email address associated with it. Depending on the directory schema, there may be other data available.

This is a great deal for spammers - email addresses are accompanied by names, and you know which country the person is from (usually derived from the c part of a dn [distinguished name]):

dn: uid=11260,cn=Berliner Volksbank e.G. CA 2004 1,o=Berliner Volksbank e.G.,c=DE
mail: holger.r*****@berliner-volksbank.de
o: FIDUCIA IT AG
c: DE
sn: R*****
cn: Holger R*****
objectClass: person
objectClass: organizationalPerson

Since many directories are hosted by universities - you can also see which department the person has joined. In this example, you can also see a timestamp that tells you how fresh the data are:

dn: uid=aaa258,ou=Students,o=New York University,st=New York,c=US
cn: Alicia A Alc****ra-Hewitt
cn: aa***8
givenname: Alicia A
surname: Alc****ra-Hewitt
uid: aa***8
mail: aa***8@nyu.edu
o: New York University
ou: Steinhardt School of Culture, Education, and Human Development
description: Student
sn: Alc****ra-Hewitt
createtimestamp: 20120120152644Z

Some directories provide information about mailing lists, which include the email addresses of every subscriber:

('cn=bosto****ociates,ou=User Groups,ou=Groups,dc=umich,dc=edu',
{'member': ['uid=al***at,ou=People,dc=umich,dc=edu'],
'objectClass': ['top', 'rfc822MailGroup', 'umichExpire'],
'owner': ['uid=al***at,ou=People,dc=umich,dc=edu'],
'rfc822mail': ['mbu***4@gmail.com',
'ck***eyw@hotmail.com',
'pjk***ner@yahoo.com',
'katemr***ardson@gmail.com',
'es***e@umich.edu',
'jeffreyc***ens@gmail.com',
'sm***rett@gmail.com',
'gl***on.katie@gmail.com']})

 

In some cases emails are not shown, but knowing a person's name, their email address can be guessed. For example, if you know my name and the pattern for addresses in my company - firstLetterFirstName dot lastName @ company.com, you figure out what the email address is.

Phishers and spammers can exploit this - by targeting and tweaking messages such that the recipient cannot easily discern a phishy message from a real one.

Another handy aspect is that the data are stored in an "easy to use form". For example, many directories have web-based search front-ends, you can run search queries and parse the resulting HTML to extract the data. In contrast, with LDAP you just do the query and extract the data in the form of "a large, properly formatted data file" (see the example above, it was taken directly from a Python console - the emails are in a list, everything is in a dictionary).

If you think about it, you'll probably ask "But isn't this the point of a public directory?". Yes, that is what such directories are for. Unfortunately, this also exposes a lot of personal information that can be used to craft sophisticated phishing attacks.

Some directories provide phone numbers too. You can either spam these people to death with voice robots (it is easy to automate this with Asterisk), or you can rely on this information to refine your email phishing campaigns. After sending them an email, you can call - thus making the email appear legitimate. A skilled social engineer can be very persuasive.

 

On the bright side, there were several LDAP directories that:

• imposed limits on the number of returned search results
• denied access to some parts of the directory
• used a GUID instead of a real name (supposedly that identifier can be linked to a person in some other database)

If I ever turn to the dark side, LDAP servers would definitely be a top priority in my evil experiments.