By Jon Taylor
Director and Principal of Security, Versa Networks
A lot of vendors lately have been talking about how they can help companies be “less hackable” through the implementation of advanced technology, reducing the attack surface, etc. One item you don’t hear security vendors talking much about is how companies can implement some basic security awareness policies that can also drastically reduce the chances of being compromised, or at least make it a bit harder for bad actors to gain access to the network.
One example that we can discuss in detail was an event that happened at the Defcon Social Engineering Village this year. One such opportunity was thoroughly demonstrated, although I honestly couldn’t believe my eyes (and ears!). On Day One they were having a vishing competition, where teams were placed into a sound booth with a phone dialing system, and they cold-called different businesses to probe for sensitive information on how these companies secured their environments. Now, one might say that there’s no way that someone doing this would really gather anything useful, but the results will absolutely surprise you, as they did me.
Vishing meets supply chain
Now, these vishers weren’t trying to call and gather information from the IT departments of major companies, but instead they were calling franchisees of large companies that we know (and love!). The competing teams were tasked with gathering some key pieces of information, and to do so were calling the individual franchises and acting as if they were from corporate parent company posing at the IT department, franchise relations, or even another franchisee. What’s interesting about this information is that it would have given these vishers the ability to backdoor and compromise not just the franchise, but also gain access to the corporate system as well. The information they were gathering ultimately centered around the franchise-accessed resources provided by the parent company, including technologies such as VPN/ZTNA services and secure websites published to the internet as examples. Some of the resources they were probing for were corporate ordering, timecard/revenue entries, other types of inventory control, etc. They would also ask questions about the type of antivirus/anti-malware being used on the machines, especially the point-of-sale terminals.If the above sounds bad, it was actually worse. During the exercise, at some point they would have the "mark” go to a mocked-up website from a point of sale (POS) terminal that would self-install a piece of malware, which allowed them to gain access to the computer. Now imagine what would happen if this POS terminal became compromised in some way. Just the amount of credit card information alone would be incredibly valuable on the dark web if it was to be sold. Also, if this terminal had any type of access to the parent network, then the payload could allow the malicious actor to enter the parent corporate system and do anything from planting ransomware to exfiltrating sensitive data. During one call, an employee even offered to share her computer screen and show the visher how they logged into each system using a VPN service and offered up usernames and passwords. If this had been a real malicious actor gathering this information, then this would have been disastrous for both the parent company as well as the franchise as the incident response, public disclosure, and loss of reputation could cost millions.
Now one might say that this is an example of a small business being targeted so of course there isn’t going to be security awareness training, and as long at the parent company has the right security tools they will not be breeched. Well, the latest example of this is the MGM incident. The exact same thing happened to a major corporate brand where someone was able to perform a vishing exercise and ultimately gained access to the corporate environment.
