After gathering much information from the supervisor who received the original email in question, as well as events having occurred with immediate subsequence, it seems highly evident that the method of intrusion was a result of spear phishing campaign, which typically involves sending a seemingly genuine email containing a seemingly genuine link. However, the email, while pretending to be from a friendly (“recognizable” or “valid” or “authorized”) individual, but is far from that. The link is very malicious, designed to redirect (cause the web browser to go to an unintended/unwanted/ unknown/undesired web page) a person’s web browser to a webpage that is (phony and) malicious in nature, seeking only to execute commands that are for clandestine purposes. The typical outcome involves installation of some form of malware (keylogger, virus, trojan, browser hijacker, remote access backdoor, network and password sniffer, data extractor, ransom hijacker, and so much more) on the user’s computer (keeping in mind the user clicked on the link).
In this case, it is likely that a remote access Trojan with keylogger capabilities at minimum, with possible network sniffing capabilities, was installed that captured the keystrokes of the user, thus obtaining user name and password, but also trolled through network activity to obtain potential accounts (username and password) that would have higher level administrative permissions in case this particular user did not have such robust access. Simply stated, the user was a victim of a social engineering attack whereby the user clicks on a compromised (as in malicious in nature) link that can cause serious network, data and information security intrusion to the entire organization, and not just that particular computer, for the remote access and data trolling capabilities alone will cause the attacker to access any and all desired information first and decide later the sensitivity of it or its true treasured value to the breached organization. In its simplest form, social engineering was accomplished with the aid of a malicious link sent to the user and the user clicking on that link.
When the supervisor mentioned clicking on the URL within the sent email, for the supervisor was answering a supposed legitimate email about a proposed web page error, which only caused the browser to go to a web page that rendered seamlessly without any obvious error, that is the clue that the supervisor was redirected to a web page that merely appeared to be the truly valid web page, but actually a malicious copy of such. As a result, malware was then installed which allowed the unknown evil-doer to have access to that computer by installation of a remote access trojan and data crawler, which offered 24 hour administrative (the highest of permissions) access (as in especially while that user was sleeping) to that computer and, ultimately the entire network infrastructure.
Being that supervisor emails are not made public, it is possible that an individual corresponded by email with a supposed customer, perhaps pretending to be irate and unsatisfied, who was able to obtain the supervisor’s email by causing anxiety upon the unsuspecting employee over an “escalated” situation. Another possible method is that one received a call from a supposed frustrated customer who requested the contact info of the supervisor, perhaps along with name and work phone number, demanding only to communicate with such. Additionally, one can pretend to be from the state attorney’s office or better business bureau, without actually identifying oneself, and suggesting investigation of unresolved customer complaints and/or disputes.
SECURITY RECOMMENDATIONS CHECKLIST
1. Remove Admin level permissions from all user accounts, changing them to only user level permissions, which will prevent applications (and yes Trojans and other malware) from launching since most applications require admin level permissions for execution. 2. Install Anti-Malware software with real-time protection and malicious website blocking (i.e. MalwareBytes)
3. Install Antivirus software (i.e. McAfee AV or Eset) with real-time protection or an internet security suite for greater range of protection (Symantec Internet Security) 4. Activate OS built in firewall to prevent or minimize intrusion insertion and activity 5. Install a robust firewall hardware with comprehensive AV/Antimalware protection, along with IDS/IPS (intrusion detection/intrusion prevention) mitigation capabilities and enhancements, thus allowing for developing access control lists (ACL), whitelisting, blacklisting and other blocking. 6. Subscribe to an email blocking and content filtering service, (i.e. Postini) or Proofpoint appliance that can block malicious attachments, block emails of certain content criteria, and prevent abnormal web browser redirects, warn the user of a potential download (thus giving the user that last chance to say no), and being highly customizable to all kinds of email-related social engineering and phishing campaigns.
7. Develop a network domain capability (Group Policy or WSUS)) to ensure that OS and web browser updates are automatic and timely.
8. Develop Group Policy construct that tightens security of workstations so that only authorized applications can execute.
9. Develop Group Policy construct that strengthens overall security of workstations, including ensuring workstations subscribe to security settings pre-configured and pushed to workstations, reducing authorized users to user-level permissions, and strengthening web browser security. 10. Disable the default Administrator account on all workstations and servers (again, via Group Policy). 11. Subscribe to log event management, alerting, analysis, remediation and reporting software (i.e. GFI Events Manager or SolarWinds Log And Event Manager).
12. Develop Annual And Required Information Security Awareness Training Organization-Wide With Strong Emphasis On Social Engineering And Email Phishing Techniques
I would send a series of emails to a randomized sample of individuals within the target organization. The series of emails would hold randomized content as well, so as not to alert folk within a division of having received the same email which would easily be surmised as potential bad email. Various email content would include invoice payments, IRS refund notifications, having won a free gift, verification of shipping, valued customer notices, invoice confirmation (“see attached”), account expiration due to inactivity, account validation due to possible security beach, and others. This is a campaign that I would execute over a time period as minimal as a week, but definitely over four weeks, so that stakeholders can see the frequency of such as it happens every day, and notice the frequency of users’ subscribing to the email, thus placing the organization in continuous breach susceptibility. Ultimately, the results of the report would be reported to stakeholders so that they may decide the next course of action upon reading the comprehensive report.
PRETEXT PHONE CALLS
I would make various calls designed to get targeted individuals at the organization to become familiar with me, develop a relationship of certain familiarity so the targets can trust me enough to offer certain sensitive information. Any information that I get is useful information, for it offers a conduit to more information for purpose of executing the next stage of information intrusion. The unsuspecting targets are unaware of the phone calls being nothing more than a ruse to obtain login credentials, network information, usernames and passwords, actual intellectual data, and so much more. In one example, I would call as though I am from IT and need to verify an account is properly, closed (or changed) and having that person offer login credentials to test on my end. In another example, I can pretend to be the IT Security vendor doing routine testing of random accounts to make sure configuration changes have not affected accounts in the targets division (i.e. Fiscal), hence I need that person’s login information. Still, I can pretend that I am from IT and have notification of security breach of the target organization and I need that person’s account information and others on that floor so I can change the passwords or provide all temporary logins for everyone.
I would pose as a contractor or valid (authorized) vendor for the organization and I can simply come to the organization as talk to an unsuspecting targeted employee about a supposed survey on the effectiveness of “our” customer service, products and services, striking up a conversation with the target in hopes of obtaining sensitive information, or offering up free USB flash drives, which are unknown to the target to be infused with hidden malware designed to infiltrate the network and provide me administrative account access permissions and 24/7 remote access capabilities. Now, the target is doing the work for me by distributing the malware-laden flash drives.
In another instance, I can pose as a vendor endeavoring to earn the target organization’s business, so I offer a verbal spill about the products and/or services of my organization. I already expect that the persons to whom I offer my “sales pitch” will refuse for now, and then I can offer promotional flash drives, DVD/CD and even USB hubs hat contain hidden malware designed to execute upon detecting the network. Additionally, I could simply ship a hardware device to a target organization, suggesting the organization give it a 30 or 60 day proof of concept trial of its features and functionality (i.e. router, UPS, firewall, switch, security appliance) and let me know if it has value. Unfortunately, it will take a while for the organization to discover the device is the source of security intrusion and has been for some time.
Persons Targeted For Social Engineering Attack Techniques
Front Desk Person / Receptionist
Upper Level Management
Executive Level Management
Finance / Fiscal / Accounting / Banking Personnel
Customer Service Personnel
The Employee Carrying Lots Of Stuff (As In Seemingly Too Much To Carry)
The Employee Running Late
Low Level IT Person
The unaware / unalertful / easily distractible / always on the phone type of employee
Questions I Would Ask
Would you like to be a part of my social network on LinkedIn ? (Goodchild, 2009)
Hi [Mom, Dad, Friend, Buddy, Pal], would you please send me money? (Goodchild, 2009)
Would you please donate to this charity organization?
Were you looking for me?
How are you my friend ?
Did you see this video about [you/cats/dogs/babies] ? I still cannot believe it ! (Goodchild, 209)
Has your PC been running slow and doing strange things ? (Goodchild, 2009)
Did you know that you were recently targeted for identity theft?
Did you receive the package I sent you ? Please verify address.
This is an authorized message from PC Services. Did you know your PC is infected with malware ?
No payment received as yet. Have you authorized payment for this invoice ?
Will you please confirm these charges on your credit card ?
Did you make this order ?
Would you like to test this new product/device we have free of charge?
Coming through, can you hold the door open please ? (Goodchild, 2009)
I left my badge at [the hospital/my daughter’s school/divorce attorney office], can you swipe me in? (Goodchild, 2009)
Can you help me get these freebies in to everyone ? (Goodchild, 2009)
Goodchild, J. (2009, February 16). 9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines. In csoonline.com. Retrieved May 3, 2015, from