Standard incident response requires finding out the real extend of the incident. This is why we have all the monitoring tools where we can find any matching patterns. Exploiting the humans is quite normal nowadays, even they received all the trainings they’re still vulnerable. You can’t patch them.
During the years I’ve learned that prior the fraud attempt period there’s always the wave of the „social engineering“ calls. It takes from two weeks up to two months. The calling number is still the same, 4-5 different voices present themselves with various names, telling various stories, trying to get the information about the company and so on. The quality of the attempts is varies, but never reached any perfection.
Recently we‘ve been investigating an incident that confirmed my old doubts about the ethics in the IT security and a business as the whole thing: there’s no ethics at all. Various branches worldwide of one company received a series of the calls from India, all of them were of course recorded. Male or female voice on the other side claimed to be a colleague from the different branch. He/she requested to be put through to another colleague or wanted to know this or that, if not satisfied became aggressive or claimed that he/she is in the need of help. The first warning was that the attempt quality was above the average, but one would say, this is the obvious social engineering scam and we have been thinking the same for a while. When we parsed the PBX logs we found that these numbers are calling us quite frequently in the last days. But a bigger surprise than the call frequency popped out when we did the research on the phone numbers on the Internet.
We found out that these belong to the company that offers very interesting research activities, maybe the business intelligence, marketing research or even pre-headhunting. Their website says:
„…name gathering of professionals from the target list of companies- Name, Job Title, Direct Dial / Mobile number, E-mail address etc…“ . If you ever deal with the cybercrime, you know that exactly this information is the background for a successful attack. But there’s more: „…we map targeted departments to understand team structures, hierarchies…“.
Another part of the website claims, they use also the Internet resources (OSINT?).
Once again we analyzed the phone calls and found out that these individuals use the finest social engineering tricks. They have most likely very structured and detailed communication manuals as they were very persistent and gave up at very late stage when comparing to the „common“ phone social engineers. And since they are not even using their real names and trying to retrieve even the internal data, they are behaving in the same way as the criminals.
At this point we understood that this company is using the same approach as the sophisticated cybercrime. The goal is to have a the complete organizational structure of the key departments with all the persons, including their business and private details, such as phone numbers, email addresses, LinkedIn and Facebook profiles and much more. This set of the information is highly explosive material that in the hands of the criminals can turn into the nuclear catastrophe for the affected company. We don’t know who has the contract with this research company to do the research of this kind but their acting is beyond the common ethics. Yet, they claim on their website to have the ethical codes of conduct and strict policies to ensure the compliance.
How to respond to this type of the incident? We blocked the number prefixes worldwide and informed the key persons about the ongoing campaign, we distributed them once again the educational materials covering the phone scams and phone social engineering attempts and emphasized the important points where the end users can find the salvation. On today we know, we didn’t suffered any significant damage and the lesson we learned was necessary. We know where to improve but we also know that the cybercrime will render the services of the regular companies that do not have any ethical code at all.
Beside the APTs that we’re facing, the attacks from humans against the humans as the preliminary phase of a bigger cyber attack will become harder to mitigate. User awareness trainings have to be adapted to respond also these topics but be as simple as possible. Employees overloaded with the information can’t properly respond the attack attempts. What about us, the security people? We should have our minds open to see the coming future and get ready.
Boris Mutina is freelancer with more than a decade of experience in IT, security audits and advisory, education, cybercrime analysis and investigation. Among other projects he is currently developing with other freelancer the online brand protection and information leakage online detection tool.
(Security Affairs – cybercrime, security)