.

Failed SE Pen Test Proves Credit Union Reacted Properly

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Sep 03, 2009 7:57 am

Failed SE Pen Test Proves Credit Union Reacted Properly


A socially engineered penetration test of a credit union's computer system went awry last week, resulting in the issuance of a fraud alert from the agency that supervises federal credit unions. 

Security testing organization MicroSolved sent a package to a credit union client last week, containing a fraudulent letter seemingly coming from the National Credit Union Administration (NCUA). Also contained in the package were two CD-ROMs, part of a penetration test, MicroSolved said in a blog post Friday. But, on the day the package was received, the person responsible for the test was out of the office. So the employee who received the suspicious letter, which bore a NCUA logo and the bogus signature of former Chairman Michael Fryzel, reported it to the NCUA fraud hot line.

On being notified of the suspicious letter and CD-ROMs, the NCUA issued an alert last Tuesday, warning all federal credit unions of the potentially dangerous disks. NCUA's alert warned that the bogus letter directed recipients to run the educational CD-ROMs, but doing so could potentially result in a security breach.

MicroSolved said that the disks contained “simulated malware,” which is safe, does not propagate and is used for testing purposes. In a news release Friday, the NCUA said the incident was isolated to one credit union, and no others should have received the package

“This was a controlled exercise in which the process worked,” MicroSolved said in its blog post. “The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement.”

In addition, though the outcome of the test was unintended, the employee's reaction to the suspicious package was exemplary, MicroSolved said. The employee followed proper incident response processes by reporting the suspicious package to the hotline.

"That the intended contact was not there made this a real world test," Randy Abrams, director of technical education at ESET, wrote in a comment on MicroSolved's blog post about the incident. "The employee who blew the whistle should be congratulated on a job well done. The fact that the alert went out means that many more people were educated against one potential attack vector.”

Abrams told SCMagazineUS.com on Monday that those who trained the employee "deserve kudos as well."

But not everyone has been as enthusiastic about the test. While MicroSolved said in its blog post that the NCUA, "understood the situation and seemed appreciative of our efforts," the NCUA said in its own news release Friday that the penetration test resulted in the “unauthorized and improper use of the NCUA logo.”

“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business, such as a computer security assessment,” the organization said.

In addition, another commenter on the MicroSolved blog wrote, "I wonder if spoofing NCUA is the best idea. I know that I would not be happy if I found out that a company was pretending to be us to fool someone into responding to a social engineering attack."



Original story:
http://www.scmagazineus.com/Purported-m ... le/147777/

Don
CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Sat Sep 05, 2009 9:34 am

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

finally  a ray of hope for both SE pentesting and that users can be trained to react appropriately
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sun Sep 06, 2009 1:58 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

Does someone know any statistics showing how much such attacks actually work and how often people react correctly? Pretty sure that the outcome would be more than 10:1 for successful attacks. Quite frightening when one think about it..
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Sep 06, 2009 2:50 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

Awesec,

I've been playing around with some similar attack vectors for some research I'm doing for a potential presentation in this are. Whilst I haven't been in a position to 'officially' put this and similar vectors to the test, from my limited workings I'd suggest 10:1 success ratio is being VERY kind to end users.

More like 9/10 success from my findings, most people just don't consider this vector as a threat. When I discussed the initial report of the attack on SANS ISC before it was released that this was a pentest, I actually got a comment of 'why would anyone go to that expense?'; a blank CD and postage stamp seems like a small expense to get a foothold in a banking network to me...

Anyone else got more trustable (is that a word?) findings?
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sun Sep 06, 2009 3:00 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

With 10:1 I meant that at least 9 such attacks are successful and only one get recognized as such. Probably I explained myself wrong, sorry. ;)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Sep 06, 2009 3:34 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

This is slightly off topic, but not exactly:

I am a horrible actor and half the time I can barely contain myself from giggling when I attempt social engineering.  Needless to say, I am not very successful at it.  :)  Has anyone considered or has taken some acting lessons at a local art school?  If anyone has taken acting lessons did your employer pay for the courses?
~~~~~~~~~~~~~~
Ketchup
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Sep 06, 2009 3:54 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

Excellent point. I haven't taken acting classes as part of my career development as you ask. But I did a lot of acting in HS and College. I have also done more than my fair share of public speaking. These skills are essential to successful SE attacks, whether it comes naturally or through training.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Sep 06, 2009 4:12 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

Awesec, looks like this one has been lost in translation and we're on the same page then :)
<<

LSOChris

Post Mon Sep 07, 2009 1:54 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

awesec wrote:Does someone know any statistics showing how much such attacks actually work and how often people react correctly? Pretty sure that the outcome would be more than 10:1 for successful attacks. Quite frightening when one think about it..


it would be hard to get those numbers and it would most certainly be different by type of organization
<<

Xiv

Newbie
Newbie

Posts: 3

Joined: Thu Aug 06, 2009 1:44 am

Post Tue Sep 08, 2009 7:18 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

Great find Don!

It's fantastic to read about the outcomes from real life pentests, and as ChrisG pointed out, its excellent to see users reacting to potential threats accordingly!

Keep up the good work :)

Xiv
<<

CadillacGolfer

Newbie
Newbie

Posts: 36

Joined: Thu Dec 14, 2006 1:58 pm

Post Fri Sep 11, 2009 12:54 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

"“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business, such as a computer security assessment,” the organization said."

yeah, I'm sure real bad guys will honor the logo copyright  ;)
<<

dmdcissp

Newbie
Newbie

Posts: 1

Joined: Wed Sep 23, 2009 9:51 pm

Post Wed Sep 23, 2009 10:00 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

I work for a mid-sized credit union and we had our first social engineering test which was a combination of vishing / phishing and the CEO fell for it, hook, line and sinker along with 10 other employees. Hopefully they will all learn from it.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Sep 24, 2009 2:47 am

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

dmdcissp wrote:[...]the CEO fell for it, hook, line and sinker along with 10 other employees. Hopefully they will all learn from it.


Depends where the power lays. If the CEO's word is final than unfortunately this will likely get swept under the carpet to avoid embarrasment. Is a good test though and shows how effect these vectors can be.
<<

Tails502

User avatar

Newbie
Newbie

Posts: 4

Joined: Tue Mar 16, 2010 3:05 pm

Location: B.A. Oklahoma

Post Sun May 30, 2010 10:02 am

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

woah, thats an eye opener :o where i work we have fedex and UPS in all the time, scary how effective this venue could be
A+, studying CEH
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Tue Jun 01, 2010 12:36 pm

Re: Failed SE Pen Test Proves Credit Union Reacted Properly

I'm still working on other forms of hacking, but I sitll know the basics of SE, but mostly from a non-physical vector. But have any of you hired a woman to perform such tests? I believe from my college 101 psych class ages ago, women have a higher chance of influencing both men and women.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
Next

Return to Social Engineering

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software