Categories: Cyber Crime

Can cybercrime use the services of the regular companies?

The attacks from humans against the humans as the preliminary phase of a bigger cyber attack will become harder to mitigate, let’s see how the cybercrime works.

Standard incident response requires finding out the real extend of the incident. This is why we have all the monitoring tools where we can find any matching patterns. Exploiting the humans is quite normal nowadays, even they received all the trainings they’re still vulnerable. You can’t patch them.

During the years I’ve learned that prior the fraud attempt period there’s always the wave of the „social engineering“ calls. It takes from two weeks up to two months. The calling number is still the same, 4-5 different voices present themselves with various names, telling various stories, trying to get the information about the company and so on. The quality of the attempts is varies, but never reached any perfection.

Recently we‘ve been investigating an incident that confirmed my old doubts about the ethics in the IT security and a business as the whole thing: there’s no ethics at all. Various branches worldwide of one company received a series of the calls from India, all of them were of course recorded. Male or female voice on the other side claimed to be a colleague from the different branch. He/she requested to be put through to another colleague or wanted to know this or that, if not satisfied became aggressive or claimed that he/she is in the need of help. The first warning was that the attempt quality was above the average, but one would say, this is the obvious social engineering scam and we have been thinking the same for a while. When we parsed the PBX logs we found that these numbers are calling us quite frequently in the last days. But a bigger surprise than the call frequency popped out when we did the research on the phone numbers on the Internet.

We found out that these belong to the company that offers very interesting research activities, maybe the business intelligence, marketing research or even pre-headhunting. Their website says:

„…name gathering of professionals from the target list of companies- Name, Job Title, Direct Dial / Mobile number, E-mail address etc…“ . If you ever deal with the cybercrime, you know that exactly this information is the background for a successful attack. But there’s more: „…we map targeted departments to understand team structures, hierarchies…“.

Another part of the website claims, they use also the Internet resources (OSINT?).

Once again we analyzed the phone calls and found out that these individuals use the finest social engineering tricks. They have most likely very structured and detailed communication manuals as they were very persistent and gave up at very late stage when comparing to the „common“ phone social engineers. And since they are not even using their real names and trying to retrieve even the internal data, they are behaving in the same way as the criminals.

At this point we understood that this company is using the same approach as the sophisticated cybercrime. The goal is to have a the complete organizational structure of the key departments with all the persons, including their business and private details, such as phone numbers, email addresses, LinkedIn and Facebook profiles and much more. This set of the information is highly explosive material that in the hands of the criminals can turn into the nuclear catastrophe for the affected company. We don’t know who has the contract with this research company to do the research of this kind but their acting is beyond the common ethics. Yet, they claim on their website to have the ethical codes of conduct and strict policies to ensure the compliance.

How to respond to this type of the incident? We blocked the number prefixes worldwide and informed the key persons about the ongoing campaign, we distributed them once again the educational materials covering the phone scams and phone social engineering attempts and emphasized the important points where the end users can find the salvation. On today we know, we didn’t suffered any significant damage and the lesson we learned was necessary. We know where to improve but we also know that the cybercrime will render the services of the regular companies that do not have any ethical code at all.

Beside the APTs that we’re facing, the attacks from humans against the humans as the preliminary phase of a bigger cyber attack will become harder to mitigate. User awareness trainings have to be adapted to respond also these topics but be as simple as possible. Employees overloaded with the information can’t properly respond the attack attempts. What about us, the security people? We should have our minds open to see the coming future and get ready.

Boris Mutina 

Boris Mutina is freelancer with more than a decade of experience in IT, security audits and advisory, education, cybercrime analysis and investigation. Among other projects he is currently developing with other freelancer the online brand protection and information leakage online detection tool.

(Security Affairs – cybercrime, security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.