Happy Friday Everyone!
You would think we shouldn’t be excited for trying to be criminally taken advantage of, but this was our first attack on Giga-Green soil! We want you to learn from our experience and breakdown the lengths of what some individuals will go to scam your organization. We admittedly encouraged the attacker to get more information to provide more exposure to attacks and tricks being used.
Quick explanation of Phishing and Social Engineering: Phishing is the use of E-mail to gain information or goods/money through unlawful means. Social Engineering is the manipulation of individuals often in conjunction with e-mail or other types of scams.
I had to doctor names of actual companies and individuals being perpetrated by the attackers as they are real individuals and a real company.
Monday, I received an e-mail from a potential customer with no misspellings and was using a developed e-mail signature with links to company resources. It was a bit odd as it was addressed to me directly versus a more public facing e-mail address, but I forwarded on to inside sales for a quote. I sent the customer back the quote and they said they would be in touch in a couple days with pricing approval.
Tuesday – No contact, It was a nice day, I had a mocha outside on a patio…
Wednesday, the customer responded again saying that we had been the approved vendor and would be sending a purchase order. This of course was good news and I started researching our new customer to learn more about them.
I copied the e-mail address (@domain.com) and pasted it into a web browser. I was directed to a legitimate company website based out of California matching all the information from the individual’s e-mail signature. I was able to find LinkedIn profiles and Company profiles for both the individuals I was working with at the organization. No red flags here, Great, new customer!
Thursday, We received a signed purchase order from the organization’s head of purchasing. At this point, I was asked to approve the order as it was for $158,000 of hardware being shipped out of state. I advised the customer of our business policy that first time out of state customers require funds to clear before any hardware would be shipped.
The customer was then able to produce documents and financial statements requesting Net 30 terms. This was an immediate alarm as it was against standing business policy and would not proceed further without following normal policies.
Not wanting to lose a potential customer, I called the number listed in the individual’s e-mail signature. He answered and we rationally discussed both sides of our concerns. He was going to work with head of purchasing to see what he could make happen. I then received an e-mail from the head of purchasing stating they could not comply and would have to find another vendor.
So I immediately called and agreed to their terms and conditions and shipped them 500 portable hard drives – NO WAY!
Business policy is there for a reason. It was now time to snoop, and snoop hard we did.
Looking closely at the e-mail address, it was altered version of the real company website. They setup a URL redirect to the real company website and were using legitimate names from that organization. Long before this we were suspicious but now the gloves were off!
The domain they were e-mailing from wasn’t registered or hosted by the same as the legitimate organization, found out through mx and whois lookups of their domain versus the legit domain. The phone numbers from their e-mail signatures didn’t match those of the public website, and they were using a different ship-to address.
Well the deal is dead but there is still fun to be had!
I called the head of purchasing’s e-mail signature phone number. He answered and I asked for my contacts name and said it was him. I then requested a 3 person meeting between us all to approve the order. He fumbled around for excuses and I asked him for his name. He gave me the head of purchasing name instead of my contacts name. I asked again for a 3 way conference – Click!
We did not experience any loss of data, money, or information through this experience and remain ever vigilant against cyber threats! We hope you are able to learn from our experiences and always need to generate awareness of the types of threats out there!