An Indian hacker known as "Godzilla" has identified a vulnerability in the NSA website that allows an attacker to send fake emails from NSA's SMTP server.
NSA's SMTP server allows anyone to use the service without verifying the IP address and password. The most interesting part is that it allows you to use any email address(for eg: admin@nsa.gov).
This vulnerability can be exploited by an attacker for launching a Spear phishing attack. An attacker can send email to anyone inside the organization(for eg to: admin2@nsa.gov). As it is using the NSA SMTP server, it is need not to worry about firewalls.
In a screenshot provided to EHN, the hacker used the email id of the NSA Director "Gen Keith B Alexander"(KeithAlexander@nsa.gov) to send email to another email id.
"sending a mail with a link attach to it. That can be a bot link. Everyone will receive the mail with .nsa.gov domain as the mail is shooted from the same network." The hacker said.
"The mail will be send with the name of Director as no one will dare to skip the mail and have to read it. After opening the mail the attacking vector will get active. After this the ball will be in the attackers court."
"SMTP is a dangerous protocol and if you dont know how to secure it, its better you shut it down."
"Stupid NSA you are lucky its 31st December and we are not in a mood to shoot are malwares in your server." Hacker said.