Skip to main content

Posts

Showing posts from September, 2011

City Link and Gathering Data for Spear Phishing

I have just been sent an email giving me a tracking number for a City Link parcel due to be delivered. On checking this on their website , I found that I only need the tracking number to track the parcel and no other information. Is this a problem? Well, I think it is. Via my tracking number I am able to find the company name of the sender and my postcode. Now, postcodes normally only relate to around a dozen properties at most. However, that's not the end of the story. By entering different numbers (based on the one that I received) I was able to get the details of other parcels being sent around. Incidentally, their format is AAAddddd - representing three uppercase letters followed by sequential numbering. Does this matter? Well, by going backwards through the sequential numbering system I was able to find a parcel that had just been delivered (at 13.50 to be precise) to a postcode in West Yorkshire - BD22 (I have omitted the last part of the postcode here). Helpfully, th