The mobile on the desk rang for about sixth time on that day. John picked it up reluctantly just to hear a bored voice saying:
– Hello. My name is Adam Nowak, I am calling on behalf of SuperTelco. I would like to arrange a technician’s visit to check the bandwidth in your company. We have received a notification no. CRT 2019/098542M concerning a slow Internet connection at your location.
John had been working in the company as an administrator for just a week, his predecessor had left to another organization and left his follower barely any information. He hesitated but after a while remembered the „slow website loading” problem discussed by some people he heard in the corridor.
Do you, by any chance, know the name of the person who sent the notification? – asked hoping to find a way to somehow delay, or at least postpone the technician’s visit and all the extra tasks resulting from the unplanned notification.
Unfortunately, the voice on the other end of the line relentlessly gave the name of his predecessor as the reporting person. John sighed and scheduled the visit for the upcoming Wednesday.
The visit went exactly as our administrator remembered it from the dozens of previous meetings with technicians from telecom companies. There were a few jokes told, funny only for the „tech-savvy”, they drank some coffee, and the technician mounted a device in one of the Ethernet router ports in the server room.
This longitudinal box did not raise any suspicions, plus the technician himself seemed like a nice professional.
They agreed that more data concerning a longer period would be needed to determine the reason for the „slow Internet” (they both smiled knowingly when using this expression) and this device was supposed to allow it to happen. Besides, both LED indicators on the Ethernet port were already flashing steadily at the rate of the received data packets. After about half an hour, the technician said goodbye and walked by John left the company building.
Somewhere on the other side of the city, a man in front of the laptop screen smiled pleased with the effects of his partner’s work, who had just mounted a device allowing remote access to the network and to eavesdrop the entire network traffic in some insurance company’s server room. The console started to display the very first filtered users’ login data used in internal systems of the attacked company. Communication was not encrypted, which was not really surprising or strange. Most companies do not encrypt communication in their intranet, assuming it is a safe zone for the users.
It did not take much time for the consequences of such a careless approach for the company to emerge.
Access to billing department allowed to replace most of the bank account numbers of the company’s contractors for the fake ones. When the accounting department workers realized that the transfers had been sent to the wrong accounts, over sixty percent of the payments had already been withdrawn by the robbers’ coworkers.
Apart from the purely financial loss, the company has also suffered severe reputation damage when other contractors began to send payment requests for the past due invoices.
If you want to conduct a controlled social engineering attack, check the compliance with security procedures and the level of information security awareness in your company, contact us.
Social engineering attack does not have to be complicated
Let us focus on the crucial elements of the above-described attack.
All the vital sensitive data such as name and last name of John’s predecessor was gained via LinkedIn. Information shared by the users of this platform includes employment dates as well as job titles and positions taken within those periods.
The name of the telecom company providing services for the „attack victim” was acquired via a number of regular phone calls presenting fictional offers of companies from this business sector. After the third phone call, a very nice lady claimed that she appreciated the services they had been receiving and that she was not interested in any new offer.
Clothing and telecom technician’s ID card was made for order, however, neither the printing company nor the shop offering t-shirt prints had asked any extra questions.
The device installed in the server room by the fake technician is the so-called „LAN Turtle”. Anyone can order such a gadget for about 90 USD. It allows to monitor and intercept LAN network traffic on which it has been installed.
All the costs and time invested in such a simple but effective attack are not too high. However, its consequences for the organization are very difficult to predict. Surely, all the clients’ data, employees’ logins and passwords became the intruders’ property.
If you want to perform a controlled social engineering attack to verify procedures compliance, as well as the level of information security awareness in your company, contact us.
How to defend from social engineering attack?
Social engineering, in ICT, is a set of methods aimed at obtaining confidential and sensitive information by a cybercriminal. Very often, hackers use the ignorance or credulity of the system users to overcome the security systems resistant to various forms of attack. They use the weakest link in security – a human.
Social engineering attack on a company or organization is of psychological nature. It takes advantage of the natural tendency people have to trust others. The attacker uses an alter ego that is trustworthy and persuades an individual to do all the actions he needs which lead to data disclosure. It can involve confidential data, such as logins and passwords, that very rarely is the real goal of the attacker. It can also concern some other things such as a manager’s or contractor’s name and will lead to the ultimate goal. It is especially dangerous as while gaining seemingly insignificant data the attacker may easily build his story background while contacting the people within the organization.
This leads us to the conclusion that a company that truly cares about its own and its clients’ security should continuously implement, test and improve procedures and controls that prevent such incidents from occurring.
We need to remember that security is a process and the creativity of the criminals is limited only by the time and technical tools they possess.
Find out more about social engineering tests, procedures and physical security measures in our offer.
The article was written by Dominik Lewandowski, Penetration Tests Coordinator in Soflab Technology
Photo by Taskin Ashiq/ Unplash
