What micro attacks are constantly coming to the office: children's social engineering and phishing



    Hello!

    We have various contacts sticking out, including the direct mail of the founder and all the heads of departments. Well, of course, an office phone, call center contacts and all that jazz. Phones of regional managers are printed on checks.

    Accordingly, 80 percent of this infrastructure is constantly undergoing small, let’s say, domestic social engineering attacks. From innocent and even naive in places to damn inventive. Inventive socially.

    Common attacks on shared contacts


    As a rule, the company “looks” outside the mail type info @ and telephone office or online store. Any advertising agencies, printing houses, cleaning services and seoshnikov really want to sell something to a more or less large business. Therefore, they take the phone or address and stupidly throw off their offer, hoping that it will get where it is needed. Naturally, it gets exactly where it is needed - to the basket. Fortunately, all proposals of this kind are drawn up identically and do not differ much from ordinary spam.


    How to become a pharmacy chain in 5 minutes

    The second level is that all these nice people who want to sell you something, hire an external call center to make “cold” calls. This is a real spam industry. The only goal of such an autosource call center is to get the name of the decision maker and his contacts. And here the attempts to attack the secretary or call center operator by social engineering begin.

    A harmless option:
    - Hello, is this the procurement department? Oh, and connect with purchases, please.

    A little more complicated, children's, but still working reception of the ticking timer:
    - Good afternoon. Edition "Business Moscow". Today we want to receive a comment from the general or commercial director of your company about the sales efficiency in our region. Please connect with him or give direct contact.
    - ...
    - How can I contact him? We need to do this today before lunch.
    - ...
    - Thank you, what is his name and patronymic?

    Naturally, the correct reaction is to get the "journalist" contact and forward it inside, not letting the person go further. Or give a public redirect to the mail of the one they asked.

    The third stage, it could not do without LinkedIn or studying the site. The call is made at 9:55, at lunchtime or at 18:05:
    - Hello! Is Daniel now in place? Not? An urgent question from Labean LLC regarding order 2512, give his phone number, please.

    And the most annoying option:
    - This is Roskomnadzor, there are a couple of questions, an urgent leader! You have 10 seconds to switch.
    After switching will be this:
    - Hello, Irina, Labean LLC. Tell me, what kind of accounting system do you use?

    The correct answer would be: "Then you have 5 seconds to introduce yourself and present your official certificate in expanded form."

    Next stage


    The first “cold external” call center can simply work as an API for getting company contacts. These contacts can go directly to the customer, or, especially in the case of advertising and production companies, to the second “cold” KC. There, the operators are doing their best to reduce contact to the meeting. But at the same time they do not know how to answer questions at all.

    I note that, in general, there are no vulnerabilities in the second case as such - social engineering has not yet gone beyond socially acceptable. The main problem is that once you get into such a database of at least one advertising agency, your contacts will fly around the world.

    I gave different people their different mails and different phones, and then for a couple of years I watched the dynamics. The most pleasant surprise was that the metro advertising service (billboards over escalators) was handing out a base of its customers to whom it was. I am happy that they were cut out from the market.

    By the way, in everyday terms, such a spread of contacts is reminiscent of the work of the Akado operators - these devils called me another 8 times within two years after disconnecting and announcing the termination of PD processing. The first two times I just explained to them what would happen if I called, and then I started to persuade them to go to the installation twice to the old address, twice to the address of my friend chop. Something is no longer ringing. Probably mounted.

    The next method: “You are so cool that I’m already numb”


    In the presence of the mail of the right person, something similar to the beginning of a friendship with a journalist is written there. They are friends with the journalist as: they praise him for the last two materials and offer a topic for the next. Hence the saying in the professional environment: "Do you love me, or is it PR?"

    So, the template letters in the spirit “I bought from you, are delighted, everything is cool, I just noticed that you are not using Direct to the fullest, let's meet.” Sometimes it's true. It’s easy to distinguish: if the letter contains at least minimal specificity, it’s a real person. If you can replace the name of your company with LLC “Channel, beam” and the essence will not change - this is spam.

    It happens, sometimes they immediately offer something free, for example, an audit. The result of this audit is more contacts and a commercial offer. In general, the same simplest way to sell; so far without tricks.

    Once we have an animator (which is about events, not about cartoons) replaced a girl-on-phone for a couple of hours. I witnessed a most interesting dialogue:
    - Mosigra, hello!
    - ...
    - Yes. Yes. On an important issue? No, he can't right now. Send to e-mail.
    - ...
    - I dictate. “Pi”, well, like “re” Russian, then “oh”, then “es” like a dollar, “H.” which “x” is English, “e”, “l”, “en”, “hey” like “a” ”, Again“ H ”as“ x ”,“ game ”,“ and ”with a dot. Mosigra dog dot ru. Read, is everything right?
    - ...!
    - Exactly. Voot, you said it yourself. Bye.

    More to the phone, we did not let him.

    I love the thinking of our animators. They sometimes make excellent social engineers. This work.

    Do you have a couple of minutes to talk about God?


    There is a trickier pairing strategy. For example, a person calls and says that he is a journalist of a certain publication (or site, or something else), and really wants to get a comment in just a couple of minutes. Since journalists should be protected and helped in every possible way, sharing open data is not a bad thing.

    The only problem is that this is not always an interview. With some probability, this may be collecting information about the infrastructure - for example, which ERP-software is used, etc. Accordingly, then you find yourself in a particular base for further use by those who specialize in this topic.

    The second divorce - they are asked to take part in an industry survey for results (survey now, results later). After the survey, in a couple of days, the result comes and a “gift” from a company like a discount or a free audit.

    The third topic - sometimes you still have the interview, then they publish it somewhere on the news site from the series “100 views per month”, and then they start to get it with their product. One beautiful lady selling call center solutions was noted. I don’t understand one thing: if you have a good product, then why such tricks? If it’s bad, are there really people who buy “by acquaintance” after such feints with their ears?

    The effect of all in copy


    This is not social engineering, but a bother.

    Some contractors began to put all the mail found on the site in a copy. Apparently, for the same reason that they put a few exclamation points at the end of the sentence. So in 99% of cases spammers do it, so emails are immediately perceived as not very trustworthy. Plus, most often no one answers these letters, because he thinks that the other department will answer in the copy.

    It is more correct to put one person in the "coma", the rest - in a copy and immediately write to whom the letter is addressed. It’s like in critical situations - don’t shout “Someone bring a first-aid kit”, but select one and say: “A man in a red cap. Yes you. Bring an emergency first-aid kit out of that upturned car. ”

    The most unpleasant thing in this situation is when they forward one letter to each spanned mail, and then another three days from different people forwards go to the head of the corresponding unit.

    Special landing pages


    From time to time, social engineering that falls on personal emails falls on personal emails. As a rule, this is phishing with a transfer somewhere where you need to enter a password. Standard protection cuts off almost all this rubbish (the main thing is to teach the user not to turn off the antivirus on personal laptops - or just not give him such opportunities on the workers).

    The last bright case was last year - they sent an attachment with the virus “court ruling on LLC N” (“N” is our counterparty), the girl “could not” open it (more precisely, she opened the doc without any visible effect) and sent her colleague a try on a nearby laptop. Both did it in personal cars. And remember this incident for life.

    Letters come very often, where the text makes it clear that you don’t personally, but you “accidentally” got into someone else's important correspondence between your two contractors or suppliers. And here is an important link (contract, for example), just click.


    Do not click on the attachment. And moreover, do not carry it in an RDP terminal to open through a browser there.

    Example:
    Dear colleagues!
    Hello!

    We inform you that our company is currently verifying documents,
    since we do not have Appendix No. 8 to our agreement with you,
    I ask you to urgently sign it and deliver it to us by courier, I
    enclose the application in the attachment, as well as the act reconciliations to the current date
    which is also necessary to sign:

    Thank you!

    Sincerely, Accountant LLC Nimbus, Nikiforova Svetlana

    Applications (2)

    1) Appendix.rar (link)
    2) Act of reconciliation.rar (link)


    Award as a way to take contacts


    One of us pulled out contacts very interestingly, inviting us to the award ceremony. There was even an award site, there were listed a bunch of people who would come. The problem was that we didn’t apply for this award (and didn’t apply for anything at all), but it was supposedly a very cool way to get through the secretary and get all the necessary contacts at once for joy.

    Suspicion


    Naturally, the main mails lie beyond what “sticks out”, that is, an alias in the “to whom” is issued by an external person or already in dialogue with us. At the same time, the degree of paranoia is still growing.

    Once the organizer of the retail conference called me to say that I have not responded to the invitation to participate as a speaker for two weeks now. I honestly admitted that I threw her letter into spam, because it was big, incomprehensible, and very suspicious because the topic was “We invite you to participate in an important conference”. I remembered him, thinking that this is a new kind of phishing.

    Once again, the new employee was offended for a long time that I did not answer. The investigation revealed that for the sake of fidelity she sent a letter with the following subject: “Do not delete, please, this is not spam !!!”. And set him a high urgency. A year later, the same trick was repeated by another cute girl from another unit with the same effect.

    Iterative bypass


    Once, a man called me who introduced himself as the director of RSS (office equipment service). And he began to talk about what kind of intelligent people we are with him, and how our companies should cooperate. In essence, he moved on after a couple of minutes: he said that we urgently need to remove the negative feedback that our support officer left. The essence of the recall is that we did not complete the work within the promised time, and when we called, we were surprised and appointed another month. I check the facts right in the conversation, even before communicating with technical support (hereinafter - dialogue from memory):
    - Wait a minute, you SLA promised 4 days, right?
    - Yes.
    - We called the 5th, right?
    - Yes.
    “You didn't say anything before that, did you?” And only then did you say that it will take at least another month? Do I understand everything correctly?
    - Yes.
    “So what's the matter?”
    - Yes, our cant. But, you see, your admin had no right to leave such a review ... We are serious people!

    Ok, I think maybe they didn’t figure it out somewhere. I take a timeout, contact the IT service, find out. Yes, that was it. There is also a second review - they wanted to take the server for repair from us, and wanted to replace the motherboard (it seems). So repair would be more expensive than buying a new server. We ordered from another company a few days later and received it at a reasonable time and at land prices. What the system administrator wrote about.

    The second bell. I say: I checked the facts, I don’t see any reason to distrust the system administrator, you yourself have confirmed everything. What's the matter? The dialogue turned out to be something like this:
    - Well, this is YOUR employee.
    - So, so what?
    - Let him remove the review!
    - Why?
    - He had no right to write on behalf of the company.
    - He wrote on his own. I do not see there an official form or something else.
    - Forbid him to do this!
    - Why?
    - But I’ll buy a game from you, I’ll write a bad review, what will you do?
    - Imagine, rejoice and fix the service somewhere.
    - What, you do not even ask him to remove?
    - Not.

    It seems that this has perplexed him, and the “director” did not call again. We then “punched” this comrade additionally and found out that he was just a manager.

    In general, fortunately, I have mail noreply@mosigra.ru, and therefore I ask such people, who bypass everyone in the company, to send a written request there. It’s still active For some reason they don’t write.

    Noreply


    Recently, a person wrote on noreply just with the word "Hello." I answered something like “Hello,” and then I thought for a long time what kind of phishing it was. Maybe my signature is needed, where is the phone? So it is already indicated on the site ... It turned out that the habrayuzer tested whether this mail really works for us.

    Getting calls


    Fucking payment systems somehow stuck like a bath sheet and did not let go even after a direct failure. Favorite phrase - “The last time we talked a couple of months ago, then the story did not end there. Has something changed? ” Like, I didn’t refuse, but put it off.

    Often when asked for specific things like “count here something under us” they say:
    “Good.” I will send you a presentation.
    - Do not.
    - Why?
    - You count for us and just send the numbers that I requested.
    “Well, let's see ...
    And they ’re sending it anyway.”

    Often try to impose a meeting from the first letter. Like, let's discuss this important question when to get to your office? Never. But it’s rude to answer like that, so I ask the agenda of the meeting (main points) how it is done inside the company. And it turns out that there’s nothing to talk about.

    It’s even cool when advertisers at the end of the dialogue ask when it makes sense for me to call back. At first I called the real data, for example, in June - "Well, I will again choose a counterparty in this direction on January 20 after 14:00." Then it turned out that they were calling back. Really. After 14. And believing that I don’t remember what I’m saying, they begin - “You asked me to call and remind you about ...”. I did not ask. “We agreed to phone” - we did not agree. Someone gave them a textbook on NLP, from where they learned only the basic presuppositions and began to climb people in the ass without soap. Fortunately, it is precisely on these constructions that denounce novice pick-ups and advertisers that they scorch in the dialogue almost immediately.

    Now, when at the end of the dialogue they ask me when to call back, I ask why. And the man is lost.

    More holes


    Data can flow from the funniest places. For example, freelance exchanges seem to have been broken a couple of times with the leak of PD. Somewhere on the sites, moderators are watching correspondence between users. Plus a bunch of similar jokes in random unexpected places. For this, I love the Soviet language scheme Vkontakte:



    It does not let you relax.

    but on the other hand


    Sometimes you need to look into the spam collection. Facebook, for example, painstakingly filtered out since March all the appeals of journalists and various people writing me in a personal link with them, and decided not to show them. I saw only a week ago and was in a light shock from how much everything flew by.

    Also popular now: