Top tip: Don't upload your confidential biz files to free malware-scanning websites – everything is public
Sandbox services are bursting with sensitive info from unwitting companies
Companies are inadvertently leaving confidential files on the internet for anyone to download – after uploading the documents to malware-scanning websites that make everything public.
These file-probing websites open submitted documents in secure sandboxes to detect any malicious behavior. Businesses forward email attachments and other data to these sites to check whether they are booby-trapped with exploits and malware, not knowing that the sandbox sites publish a feed of submitted documents.
White-hats at infosec outfit Cyjax today raised the alarm that when IT staff, security researchers, and other folk submit attachments to free malware scanning services to check for malware, they are unaware the files are viewable to everyone.
"These services allow anyone to upload a file and then generate a report about what happens when the file is opened; they then give an indication as to whether the file is malicious or benign," Cyjax's Cylab team explained.
"The services chosen all have public feeds and do not require payment in order to download or view the public submissions."
By passively observing three such services over the course of three days earlier this month, Cylab hackers were able to collect more than 200 documents, mostly things like purchase orders and invoices. In some cases, they were also able to spot more sensitive information – think legal paperwork, insurance forms, and government documents that contained personal information.
"The volume of sensitive documents collected in only three days was staggering," the team noted. "In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims."
Even the mundane files, like purchase orders, could reveal enough of a company's inner workings to give an identity thief or hacker enough reconnaissance to carry out a targeted attack.
"By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation," the Cylab report explained.
"This is extremely useful information for a threat actor conducting a spear phishing or BEC [business email compromise] fraud campaign."
The Cylab team noted that in every case where the uploader of the file could be reached, the organization had no idea their documents were open to any and all. Some panicked at the news, and others contacted the sandbox site to get the files pulled.
The conclusion of the report is pretty straightforward: users and their employers seem to have no idea that these "sandbox" sites are exposing their data.
As for what can be done, administrators need to step up and let users know not to use the site, while the companies themselves should consider either providing and mandating a their own scanning tool, or at least spring for a private account that hides scanned files. ®