Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Phishing

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Orca Whisperer W3WN's Avatar
    Join Date
    Dec 2007
    Location
    Castle Shannon, PA
    Posts
    19,316

    Phishing

    Back in February, we had mandatory training for all users in the building, about what to do about suspicious emails, attachments, and anything else that could constitute a Phishing attempt.

    So, yesterday afternoon, one of our users gets an unexpected "view information in spreadsheet" email, allegedly from a client.

    E-mail address is not the client's. Not even close.
    The e-mail recipient is not her, nor that of the account exec.
    There is no Excel spreadsheet attached. There is a PDF that tells the reader to go to a portal site and create a login.

    Classic signs. Almost exactly what we covered in the class. So what does she do? In order:

    Opened the email
    Opened the PDF
    Followed the link
    Entered her company email address on the site, and created a password (which she swears she has never used anywhere else)
    Attached the suspicious email & attachment to our file management system
    Forwards the email, with attachment, to the account exec
    Forwards the email back to the original sender, which verifies it's a legit email address
    Forwards the email to the client, at his actual email address, and asks if he really sent this.
    Finally, opens a Help Desk ticket to let us know.

    I was on my way home when this happened, so I immediately replied to her via email DON'T OPEN THE EMAIL UNTIL FURTHER NOTICE. Her reply? "Oh, he changes his email all the time." followed by "Maybe it's his father's email"

    KB3ERQ, who was still "on duty", took over at that point and went to talk with her. She denied she did anything wrong, and insisted that we had to help her open the "spreadsheet". Only after the actual client replied to her, 3 hours later, saying "my email was hacked, don't open anything" would she admit that maybe, just maybe, something wasn't quite right.

    (They had a long and somewhat unpleasant conversation, which I'm skipping over. To put it bluntly, we can't figure out if she's stupid, stubborn, or trying to cover her anatomy -- or some combination thereof)

    *sigh*

    No, I'm not allowed to shoot her.

    We are going to sit down and have a word with our boss, followed by the three of us having a word with the company Compliance Officer who ran the seminar, and then a word with the user's supervisors. HR might have to get involved as well. Suffice to say that she won't be happy with us afterwards. I THINK we dodged a bullet -- this time. We won't get so lucky the next time, though.

    [ No, I can't summarily fire her. Or I would have. ]
    “Nobody is going to feel sorry for us. 90% of the people don’t care, the other 10% are glad it happened.” — Clint Hurdle, 2019

    BAN THE DH!

    Fudd's First Law of Opposition: If you push something hard enough, it WILL fall down.
    Teslacle's Deviant to Fudd's Law: It goes in, it must go out.

    Just remember: Abraham Lincoln didn't die in vain. He died in Washington, DC

    Cutch 2K!!

    “Nero fiddled while Rome burned. Trump golfed.” — Bernie Sanders

    Quando Omni Flunkus Moritati


  2. #2
    Conch Master KJ3N's Avatar
    Join Date
    Jul 2009
    Location
    A secret cave in northern Delaware.
    Posts
    9,113
    Quote Originally Posted by W3WN View Post
    (... To put it bluntly, we can't figure out if she's stupid, stubborn, or trying to cover her anatomy -- or some combination thereof)
    To paraphrase from one of my favorite movies: "Woman, you don't know whether you've been shot, fucked, powder-burned or snake-bit."
    "People Who Don't Want Their Beliefs Laughed at Shouldn't Have Such Funny Beliefs" -AD5MB

    "If someone tells you he believes in and talks to an invisible bunny named Harvey, you put him on medication and a regimen of therapy. If someone tells you he believes in and talks to God, well, that's perfectly acceptable. Why that's the case is impossible for me to fathom." - WP2XX



    Latest ClubLog entries.

  3. #3
    Administrator N8YX's Avatar
    Join Date
    Feb 2007
    Location
    Out in the sticks
    Posts
    26,070
    In some circles, the first strike is a mandatory write up and suspension if A) You've taken said security training, and B) Your actions caused your employer to experience significant loss, damage to brand or both.

    In certain other (tighter) circles, it wasn't a game of baseball. Strike 2 involved you being escorted to the parking lot via the HR office by me and one or more of my contemporaries (when I worked Operations).

    This kind of scenario belongs as a set of questions in the interview process, as an idiot screen.
    "Everyone wants to be an AM Gangsta until it's time to start doing AM Gangsta shit."

  4. #4
    Orca Whisperer W3WN's Avatar
    Join Date
    Dec 2007
    Location
    Castle Shannon, PA
    Posts
    19,316
    Quote Originally Posted by N8YX View Post
    In some circles, the first strike is a mandatory write up and suspension if A) You've taken said security training, and B) Your actions caused your employer to experience significant loss, damage to brand or both.

    In certain other (tighter) circles, it wasn't a game of baseball. Strike 2 involved you being escorted to the parking lot via the HR office by me and one or more of my contemporaries (when I worked Operations).

    This kind of scenario belongs as a set of questions in the interview process, as an idiot screen.
    Ah, yup.

    Unfortunately, I don't believe (Middle) Management will take this type of thing seriously until someone gets hosed. And we've had some close scares before, but nothing... yet. They are not grasping that just because we keep dodging bullets doesn't mean we will always be able to do so.

    The owners do take it seriously, but when it comes to things like this person's actions, they may not hear about it from middle management until it is too late.

    IT takes it VERY seriously. And our boss is dealing with this. Suffice to say that the excuse of "oh, she's been here many years and is set in her ways" is NOT an acceptable answer -- to us.
    “Nobody is going to feel sorry for us. 90% of the people don’t care, the other 10% are glad it happened.” — Clint Hurdle, 2019

    BAN THE DH!

    Fudd's First Law of Opposition: If you push something hard enough, it WILL fall down.
    Teslacle's Deviant to Fudd's Law: It goes in, it must go out.

    Just remember: Abraham Lincoln didn't die in vain. He died in Washington, DC

    Cutch 2K!!

    “Nero fiddled while Rome burned. Trump golfed.” — Bernie Sanders

    Quando Omni Flunkus Moritati


  5. #5
    Administrator N8YX's Avatar
    Join Date
    Feb 2007
    Location
    Out in the sticks
    Posts
    26,070
    Quote Originally Posted by W3WN View Post
    ...
    IT takes it VERY seriously. And our boss is dealing with this. Suffice to say that the excuse of "oh, she's been here many years and is set in her ways" is NOT an acceptable answer -- to us.
    Your firm may need to implement detective and preventative controls if the owners aren't willing to take the heavy-handed approach. IDS/IPS and DLP technologies are a good starting point, but what you'll need to be truly effective in that space is behavior-based detection, coupled with white-listing of permitted actions and resources.

    In a nutshell: If Suzie is attempting to use her domain credentials outside of her work domain (i.e., registering a profile on an external URL) that action is blocked and an alert sent to Operations. Products in this space are available in inline, endpoint and hybrid configurations. If your staff is permitted to take their laptops home with them, I strongly recommend the use of comprehensive endpoint protection, controlled by a central management server (with no way for users to defeat it).
    "Everyone wants to be an AM Gangsta until it's time to start doing AM Gangsta shit."

  6. #6
    Orca Whisperer W3WN's Avatar
    Join Date
    Dec 2007
    Location
    Castle Shannon, PA
    Posts
    19,316
    Quote Originally Posted by N8YX View Post
    Your firm may need to implement detective and preventative controls if the owners aren't willing to take the heavy-handed approach. IDS/IPS and DLP technologies are a good starting point, but what you'll need to be truly effective in that space is behavior-based detection, coupled with white-listing of permitted actions and resources.

    In a nutshell: If Suzie is attempting to use her domain credentials outside of her work domain (i.e., registering a profile on an external URL) that action is blocked and an alert sent to Operations. Products in this space are available in inline, endpoint and hybrid configurations. If your staff is permitted to take their laptops home with them, I strongly recommend the use of comprehensive endpoint protection, controlled by a central management server (with no way for users to defeat it).
    I hear you.

    A recommendation to that effect was already made. I do not know where it stands at the moment.
    “Nobody is going to feel sorry for us. 90% of the people don’t care, the other 10% are glad it happened.” — Clint Hurdle, 2019

    BAN THE DH!

    Fudd's First Law of Opposition: If you push something hard enough, it WILL fall down.
    Teslacle's Deviant to Fudd's Law: It goes in, it must go out.

    Just remember: Abraham Lincoln didn't die in vain. He died in Washington, DC

    Cutch 2K!!

    “Nero fiddled while Rome burned. Trump golfed.” — Bernie Sanders

    Quando Omni Flunkus Moritati


  7. #7
    The Fluid of Spock KD8TUT's Avatar
    Join Date
    May 2016
    Location
    Lake Michigan Beach MI
    Posts
    2,194
    Quote Originally Posted by W3WN View Post
    Ah, yup.

    Unfortunately, I don't believe (Middle) Management will take this type of thing seriously until someone gets hosed. And we've had some close scares before, but nothing... yet. They are not grasping that just because we keep dodging bullets doesn't mean we will always be able to do so.

    The owners do take it seriously, but when it comes to things like this person's actions, they may not hear about it from middle management until it is too late.

    IT takes it VERY seriously. And our boss is dealing with this. Suffice to say that the excuse of "oh, she's been here many years and is set in her ways" is NOT an acceptable answer -- to us.
    We've got a sys admin who is hanging some windows servers out on the net without being patched for wannacry. I noticed it and bounced it up the chain loudly.

    Monday when I come in and the sans are encrypted, I expect a promotion... right after he is exited from the building.
    --
    So there I was, totally naked. With only a rubber hose and a stuffed animal...

  8. #8
    Administrator N8YX's Avatar
    Join Date
    Feb 2007
    Location
    Out in the sticks
    Posts
    26,070
    Quote Originally Posted by KD8TUT View Post
    We've got a sys admin who is hanging some windows servers out on the net without being patched for wannacry. I noticed it and bounced it up the chain loudly.

    Monday when I come in and the sans are encrypted, I expect a promotion... right after he is exited from the building.
    Exposing SMB/CIFS through a firewall without benefit of a VPN and inline IDS/IPS ought to be grounds for termination itself.
    "Everyone wants to be an AM Gangsta until it's time to start doing AM Gangsta shit."

  9. #9
    The Fluid of Spock KD8TUT's Avatar
    Join Date
    May 2016
    Location
    Lake Michigan Beach MI
    Posts
    2,194
    Quote Originally Posted by N8YX View Post
    Exposing SMB/CIFS through a firewall without benefit of a VPN and inline IDS/IPS ought to be grounds for termination itself.
    I'm new at the company... give me time to fix everything :)
    --
    So there I was, totally naked. With only a rubber hose and a stuffed animal...

  10. #10
    Conch Master W2NAP's Avatar
    Join Date
    Mar 2008
    Location
    W2NAP
    Posts
    5,942
    what a mess
    I AM THE VOICE OF THE VOICELESS!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •