Friday, September 1st, 2018
Here's the interesting thing about this article for me: I actually see the same type of "mistake" the Missouri State Democratic Party made from Bankers who should know better(many are senior level loan, compliance, and security officers). Many local civic groups do the same (I just released one from the King City Chamber of Commerce).
Unfortunately, we're all busy, and usually take the fastest route instead of the safest route... Here's how it works: Emails are sent to multiple recipients, with all the email addresses in the To: line or Cc: line. So, every "Reply All" to the first message, or subsequent messages, goes out to everyone. It's kind of like our distribution lists (which is what the Mo. State Dems accidentally used), only with every address listed instead of the distribution list address. All a bad actor would need to do is glean those addresses, or better yet, figure out who the creator of the group list was, hack her/him (or spoof her/his email address), send a phish out to the group, and presto! Access to multiple Bank networks... The scary thing for us (me!) is that we have multiple user email addresses sitting out there in these lists. This puts those users at a greater risk of being phished. Further, it weakens the training we do from KnowBe4. One of the Red Flags for an attempted phish is an email with multiple addresses in the To: or Cc: line. If we get used to opening and responding to legitimate emails like this, it makes us less wary of bad emails in the same format. Worse, if the list itself is compromised (like at MU), malware starts flying into people's inboxes. Ei Carumba! Here's the article: SCmagazine Article If you wish to send out an email to a group of people, and don't want to expose every email address, send the email to yourself, and put all the other addresses in the Bcc: line (stands for Blind Carbon Copy). The only address any recipient will see is yours.