For all your firewalls, intrusion detection systems, passwords and password policies it just takes one uninformed and well intentioned employee to bring you down.
It’s called social engineering and it is the most effective “hacking” tool available. I had my first experience being on the receiving end of a concerted social engineering hack and emerged victorious.
Yesterday around 3:30 pm I was at my desk when the receptionist put through a call from one of our senior VP’s. I was rather distracted with a few things going on so I was caught a little off guard. The VP in question is someone I know fairly well and have a bit of a rapport with. He asked how my holiday weekend was and we exchanged brief pleasantries. Since I was rather busy I politely moved the conversation to the business at hand and asked him what I could do for him.
He told me he needed a copy of the company Global Address List in Excel format.
For the record; this would be the contact information for every single employee in our company. About 800+ contacts. No small thing.
One thing that tends to set me apart from your average IT flunky is I am not afraid to ask blunt questions and I had one for Mr. Senior VP.
What on earth for? This was an odd request and it set off alarm bells immediately. I’m not about to hand off this proprietary information without following some type of protocol even if you ARE a senior VP.
He proceeded to explain to me that he was on the road and his daughter had accidentally taken his laptop to school and he needed employee contact info ASAP. It kind of made sense. We are going through a buy-out/merger. It’s not out of the realm of possibility that a senior VP would need this information as part of maybe planning our ultimate re-organization. Still….
He was on a cell phone so it disguised the voice somewhat. It did sound like the VP.
I suggested he access the corporate e-mail system via our web interface. There he would have access to all the contacts in the GAL. He said this was not acceptable and that he needed it in a form that could be printed out.
I continued asking questions like “what is this for?” “Is there another way?” “Can you come into the office and get this?” and one final question “Is this something you would prefer I stop asking questions about?” to which he replied “yes.”
At this point he tried to pull rank. He told me that in his position he should not have to explain himself to me. This is when I was sure there was a problem. Either the person I know is acting EXTREMELY suspicious and out of character or he was not who he claimed to be.
I generated the Excel spreadsheet by exporting the GAL to a file on my desktop. I had to make a decision quick. I asked him how he wanted this delivered to him and he said “e-mail it to my personal e-mail address” and proceeded to give me an address of firstname.lastname@example.org…
My thought was that if he could access his personal e-mail then he could access his corporate e-mail and I told him I would send it there. He asked me to CC the funky e-mail address and I said I would not do that. At this point I told him outright that I wasn’t even sure I was dealing with a company employee and I implored him (just in case I was wrong) to please understand that I am only protecting the company. I basically told him I would e-mail the file to his corporate address and he could then forward it as he pleased.
He was not happy but relented and agreed to my solution. At this point I was a little flustered and after I sent the e-mail I went to my boss to explain what had happened in case I managed to piss off a senior VP. Not something you want to do when they are likely evaluating current and future company positions. I have denied the requests of senior management before, citing company policy. When you do that you are putting your job at risk. I knew I was right but I feared there might be repercussions.
5 minutes later I got an e-mail from the senior VP in question asking what the heck this was that I had sent to him. I explained it and told him he could delete the message.
Turns out whoever was on the phone was impersonating the VP and was totally pulling a scam.
Had I not been alert I could have easily handed off confidential employee information to god knows who.
Let’s be careful out there!
7 thoughts on “The weakest link”
I had no idea what that term meant. Thank you Jay for enlightening me a little more.
Any way to track down the Yahoo via his email?
Probably not. It’s a web based anonymous file drop email service.
Very interesting. I’ve never read a personal story from someone that I actually know that has been socially engineered, I’ve just heard and read tons and tons about it from the other side of the fence. Thank you for sharing. Way to handle it!
Great Post. We often sit through meetings, seminars, classes on security, et.al., but we seldom hear about actual events with actual people. It brings it home. Thanks!