This morning I was sitting at my son’s soccer game when I got what some might consider an alarming message from the company CEO. “Three company employees – including me - just got a text message FROM ME – and I didn’t send it!”.
After talking with my boss about the details in the message we agreed that this would be a good opportunity to publish a reminder about cyber hygiene as it extends beyond our workplace and well into our personal lives. So, sit down kids, as we walk through our brief chat with a menacing malicious messenger, who didn’t realize that they were pretending to be the very person they were messaging.
CARLA – MEET CARLA.
Lucky for us, our CEO is pretty savvy and knew she wasn’t messaging herself. The first question she asked me was “Have we been compromised? The same message went to personal numbers for some of our people”. The truth is with tools like Maltego, or some good old-fashioned OSINT (Open Source Intelligence gathering) linking employees of a company and impersonating leadership isn’t uncommon. Ask us how we know – TechGuard’s white paper on Social Engineering. Since the individuals messaged were not done so strategically, the likelihood of compromise was essentially zero which meant Carla could respond, to Carla.
NEW PHONE- WHO DIS?
Let's start with the obvious. Where is this text coming from? While numbers can be spoofed, a number that comes from a non-trusted source such as the wrong area code, let alone, not the known number of the person they’re impersonating. We used Spokeo, a free (or paid) service that assists with OSINT, but also has a reverse phone number lookup (courtesy of AT&Ts article). While TechGuard is based in St Louis and provides service to clients across the US, a California number is suspicious. A number that has a carrier that supplies virtual phone numbers, yes - the kind who have been asking you about your extended warranty, is even more suspicious. The output on the left is a screenshot from Spokeo. While some information is paid tier, the free tier gives you a good insight into where your messages come from.
THE PRINCE FROM CRAIGSLIST
We all remember the Craigslist scams, where some far-away Prince had a trove of wealth and would reward you handsomely for simply cashing a check. Bad news, the broke prince is still trying, except this time with gift cards and marginally improved grammar. As our CEO continued the conversation with our unknown perpetrator, we got the ask – an iTunes gift card. In hindsight, we should have given an expired gift card and the wrong code while Karma sorted itself out. The very sad reality is that this type of attack works. Scammers use gift cards because they can be used anywhere and are largely untraceable, especially when the victim buys them.
THE TAKEAWAY
After some prodding, we were able to find out that what we suspected was a compromise, in truth someone trying to get some gift cards and their accompanying security code. In an organization that was less cognizant of good practices, there could have been financial harm. Simply taking the time to stop and say “something doesn’t look right” could save you or your organization from significant financial damage. Imagine it was a Two-Factor authentication code, security code, password, or worse that was being asked for and an employee believed their boss was asking on a Saturday morning. Testing human response is a critical component of the penetration testing we perform to help protect our clients and their organizations from slip-ups just like these and why we tailor our engagements to best suit the exact needs of our clients. Has your organization recently been targeted by social engineering or phishing attempts? Give us a call to talk to one of our Cyber Security Specialists.