If you’ve run an internal phishing exercise, chances are you may have used Jigsaw, an open source penetration testing tool that enables security teams to automatically generate email address combinations from a minimal amount of public information.
As with other open source security and networking tools such as Metasploit, Nessus and Nmap, cybercrime groups have been known to pervert them for harm. Such may be the case with Jigsaw, which researchers at RSA Security’s FraudAction team said they’ve seen being used in active attacks.
Jigsaw is a Ruby script-based email enumeration tool that accesses the Jigsaw business directory. It generates email addresses in one of four popular naming conventions from information available in the database. The Jigsaw directory, meanwhile, is a cloud-based real-time database that is primarily crowdsourced; more than 27 million business contacts and four million company profiles are in the directory, which is maintained by more than one million users. It’s a rich hunting ground for cybercriminals, and an important tool for pen-testers and enterprise security teams assessing the awareness of employees to the dangers of email-based spam and phishing campaigns.
RSA principal malware scientist Christopher Elisan said researchers from its fraud intelligence team saw a version of Jigsaw being used in attacks. Elisan said that new features added to the tool last November enhance the granularity of business contact data returned in the final output, such as a target’s username, as well as the addition of HTTPs support for database requests.
The Jigsaw tool is intuitive. A user simply enters a search argument such as a their target company name and the tool returns all of the companies it has knowledge of with that name plus the number of employees listed, and the company’s Jigsaw directory ID. Knowing the ID, an attacker, for example, can get much more granular and find employee names per department, for example, based upon what’s available in the directory. The attacker then supplies the tool with a domain name of the company and the Jigsaw tool generates a list of possible email addresses.
“One thing the directory doesn’t have is the employee’s email address,” Elisan said. “What Jigsaw does is generate email addresses for you. The way it does that is that it uses four common formations used by companies as log-ins and attaches those to the supplied domain name.”
Since an attacker may not know the target company’s particular email convention, the Jigsaw tool will generate a list of email addresses using either first letter and last name, first name dot last name, first name first letter of last name, and last name first letter of first name appended to the domain name supplied.
“All of the information is displayed to the attacker who can save it to a CSV file that will contain an employee’s name, department and crafted email addresses based on the formats added to the domain,” Elisan said. “The CSV file is then fed into an automated system. That list also comes with a configuration file that can be fed into a botnet.”
Royce Davis, one of developers of Jigsaw, said that organizations need to think hard about the information they share online and in other forums.
“In the case of the Jigsaw database, I do not believe companies are intentionally providing their information. I believe the records are harvested from business cards which get handed out like candy at various conferences and public gatherings,” Davis said via email to Threatpost. “What I have shown with my tool is that an attacker doesn’t need to necessarily obtain a user’s email address. Simply obtaining their first and last name is often enough to craft a valid email address. For this reason I would recommend that companies become more creative with their username conventions. For example, the first and last initial combined with a unique identifier could look like ‘email@example.com.’ This would be much more difficult to guess then the more traditional ‘firstname.lastname@example.org.’ ”
Davis said that Jigsaw has been used in hundreds of sanctioned phishing exercises.
“I tend to receive positive feedback from other pen-testers. I think this is because Jigsaw makes it easier for them to harvest email addresses to be used for their email phishing exercises,” Davis said. “Additionally it helps to provide clients with a sense of how much information about their company is out there on the internet.”
Davis added that he was unaware of anyone who had taken his code and written a malicious tool.
“I wrote Jigsaw as an open source penetration testing tool. The initial concept came from a colleague who already knew of the Jigsaw.com database and simply wanted a tool to perform the tedious steps of pulling information automatically,” Davis said. “A hammer and nails are regularly used to build houses and keep families warm. Hammers can also be used as deadly weapons. As with the hammer, I’m glad that so many people were able to get such positive results from the tool.”