I recently encountered a case with one of my clients that demonstrated the true value of having an effective information security training program which includes regular social engineering tests. Sure, social engineering tests are fun for our teams to conduct (maybe not for the victims) but this case showed that the tests really can mean the difference between a deleted phishing email and an information security incident.
As a bit of background, the client in question is a SMB in a regulated industry that deals with large amounts of confidential information on behalf of its customer base. A compromise of NPI could have extremely serious implications from a regulatory and reputational standpoint. As SMBs go, the organization is well run and has a fairly robust security infrastructure that includes layers of antivirus, spam filters, and monitored IDS and IPS systems. This isn’t exactly a mom and pop shop.
Several days before the incident in question, my team conducted a social engineering test as part of a broader penetration testing engagement which consisted of phishing emails sent to employees throughout the organization in an attempt to harvest credentials. We had some success in getting a few sets of creds, called the test off, and the administrator notified the employees of the test. Several days later, I was contacted by the administrator asking if I had conducted another social engineering test (which we had not). When I responded to the negative, he forwarded me an email that had been received from one of his employees. The employee in question had been part of the previous social engineering test and thought that the email looked suspicious.
The email had been received by the employee from a known third party vendor and contained what appeared to be a link to download a document from the vendor’s website. The nature of the relationship between the client and the vendor would periodically involve the exchange of information in a similar manner, however the employee was not expecting such an email and subsequently contacted the vendor to check on its legitimacy before clicking on anything. Sure enough, the vendor did not send the email. The employee forwarded the email to the administrator, who immediately contacted me.
I fired up a sandboxed workstation, took a snapshot, and started digging. Unlike many phishing schemes with links to random URLs, the URL pointed directly to a page on the vendor’s website. Visiting the website (safely from my sandboxed browser) revealed a credential harvesting site prompting to enter a username and password in order to download a document. The site was scraped from an Adobe website and quite honestly looked pretty good to the untrained eye. I immediately contacted the client and advised that all indications was that the vendor’s website had been hacked. By the time I revisited the site several minutes later to run a packet capture and attempt to further trace the origin of the attack, the site had been taken down.
Email headers indicate that the email came from Nigeria (not the most savory of countries when it comes to online fraud), although this may not necessarily be the ultimate starting point. The email was relayed through Google SMTP servers; the vendor’s MX record indicates that the vendor uses Google as their email host and quite possible could have served an authenticated relay to the attacker who had compromised the vendor’s employee.
An effective information security training program and regular social engineering tests provided the employee with the knowledge and skepticism to do EXACTLY what they should have done, despite the fact that:
- The email came from somebody they knew, had legitimate sender information, and even had the vendor’s email signature at the bottom
- The email managed to bypass a robust spam filtering system (which actually gave our team a fit when conducting our phishing test)
- The nature of the client-vendor relationship would regularly involve transfer of documents between the organizations so the scenario was entirely plausible
- The site was hosted on the vendor’s compromised website so the link in the email for all intents and purposes looked legitimate
Under such circumstances, the average person who had not been exposed to regular training and testing would likely have clicked the link without thinking twice. Thumbs up from the pentesting team!