Thank you sir. Showed the video to my 13 year old son because he is not yet familiar with this subject. He was sort of shocked how easy it can be. I've known it for years. That said. I grew up with the beginnings. He has just always had high speed wireless interwebs. So anything I can show him how to protect himself is great. I may or may not have taught him how to use my picks. That's only because I trust him to use them responsibly and for the correct reasons. Also he has to ask them from me if he wants to play. They are kept out of reach and only in my control. Hope everyone is staying safe and taking care.
The attacker started with building up rapport as a customer, asking about low expense items and asking for a quote on them. Then continuing to ask for more items that are higher priced making their interaction more valuable to the victim of the attack. After that the attacker moves forward by asking for custom manufacturing of an item building up even more rapport as you talk to them over the phone, in which for most custom manufacturing jobs you need custom plans. The attacker "draws up" some plans lacing the download link/file with the malicious code and there you have it corporate espionage at its finest.
Some mitigation: One Deal at a time. Close the simple request, get payment, ship product, begin next request. There were 3 sales in the email chain, and if the requests were genuine, they'd (probably) be OK making the first purchase and second purchase before the file back and forth that led to the compromise. Adding more and more onto an existing order was a warning flag to me. Counter-Research. As deals get bigger, especially custom order deals requiring engineering time and possibly tooling etc, researching the buyer, looking up phone numbers, looking for public records of the buyer should be par for the course. The attacker used simple greed to override good sense. We all want that big commission, but the opposition knows that. They have no intention of buying, so racking up a huge shopping cart means nothing to them. Don't get blinded by the numbers. In fact, get more suspicious with the bigger the order. Especially from new contacts with no payment history.
I can totally relate to how this could happen, while my work is more technical in nature, i am often dealing with multiple vendors requesting either whitepapers for products or quotes, and at times my requests are answered by alternate sales staff, and with the time frames of projects being so tight and everyone needing their stuff yesterday something unexpected could totally slip by if we were not already scanning inbound attachments.
Not exactly related other than how easy it can be for someone to exploit bad security structure in a company, especially if combined with the power of coincidence. So, I know someone who used to work in a company as the only person in the finance department with a very high workload. Their boss would sometimes see something they wanted to buy through the company and would just email them to transfer some money to some account. Now, this person is by no means the "don't know computers" kind of person, but one of these times when she was writing up the monthly financial reports (extremely high-workload), she got another email from her boss asking her to once again transfer some money to some account, the email looked legit and didn't deviate from what he usually sends, so she sent over the money, he wasn't in the office either so it wasn't like she could walk over to confirm and she was also extremely stressed due to the reports. Either way, a bit later it turned out that the email was from a scammer who had made their email look like that of her boss (unless you click to expand the view of the address). Since no one in the company structure, not even the security expert they had hired for overseeing their security, seemed to have realized that maybe it was due to shit security procedures, she ended up getting a ton of hate and had to quit her job. No one thinks they're "that person" until they are, "that person."
Of course I would click the link... 🙄 Clearly the real solution is to be anti social and never deal with anyone else in your work. 😀 As was pointed out this person kept on ratcheting up the interest but without ever actually buying anything. If possible I would try and organize a face to face meeting (preferably at their location) to discuss exactly what could be done for them, and to get some sort of assurance that they aren't just trying to pick our brains. Of course with sufficient reward the "customer" might even purchase some items, and set up a dummy front so that you do accept the emailed documents. The question is always going to be how much is it worth to them (and you)
That _exact_ kind of attack is incredibly easy to avoid: open all documents with a program that can view the contents but is unable to execute code. Like the image preview mode of several image editing software, which will show you a PDF or DOC all right. Of course, that doesn't work for _other_ kind of attacks...
I'd take a look at the link, if I was super curious I'd click it too, cuz I use several really hardcore scriptblockers with whitelists, so there is little to no risk of a site being able to action anything malicious on my machine. As far as laced files go, it's good to be wary of filesizes on a windows PC, or even have your sales staff on a VM setup if you are really paranoid. And, as always, definitely don't download and run sketchy unsigned .exe's. Really in this case where a rapport has been built and the attack is coming from an innocuous vector, mitigation via IT protections such as VM's or highly segmented network structures would have to already be in place. If something like this isn't planned for, it'd he a hindsight sort of situation because it's not the most common attack.
I will click on them but I'm using Linux and have plenty of preventative measures to make sure nothing of consequence happens. I mean, I always keep the attitude that everyone is equally as crafty as I am and as such treat pretty much all interactions the same.
So then the question stands, as a relatively non-tech savvy person (as you might expect in a Sales Manager role), do you then going forward never open a document that a customer sends you (even if it were genuine)? At what point does the onus come onto companies to have succificient protection on their network/user systems to prevent this attack?
Why must the onus be fully on one or the other? There should be multiple layers of controls in place to prevent this. This is called "defence in depth". At some level security is everyone's responsibility. Cybersecurity insurance policies typically include a requirement that the business have regular security training for users not just pentesting and audits.
@@ZiggityPow That is all very well however the customer is presenting as very genuine, therefore opening the offending document is likely to happen regardless, there should be adequate defences in place to render this approach useless. You might very well teach someone to be wary and to suspect everything but then how do they continue about their business as normal? They would have to run the attachments through software to determine if it is genuine (at which point this should be automatically done on mail server level). If the software is unable to detect the code then surely it becomes irrelevant as to what the person did? They have to be able to read revisions that customers send them at the end of the day.
@@sevro This is all hypothetical, so we don't know. Security is ultimately a balancing act. Risk is likelihood times impact. Lost business costs from the mitigation should not exceed the value of the risk. Risks can be mitigated, accepted or transferred. Residual risks or those with low likelihood but high impact are typically transferred with an insurance policy. The willingness to accept risk in order to pursuit of their goals is know as "risk appetite". The answer here is, it depends on the risk appetite and enterprise environmental factors. If this is a concern at your business, I'd find a consultant with a CRISC certification to discuss this with.
Make mandatory policy to have pdf readers and word processors set to "do not execute any code". Presto. (Which they should be anyways, to `revent viruses - but that's another matter...)
Being computer illiterate. I found this video very interesting. How is a company supposed to do business when the computer contact turns into a real phone conversation and then the attack happens, trust was built up. I think the only way to prevent this attack would be at the computer stage, The sales person would never be trained well enough to spot the fraudulent customer.
Spearphishing is a hard attack to prevent when done properly. At an advanced level the attacker will most likely get in, and its the job of the blue team / IT team to properly implement network security features such that once access has been granted to the attacker they can't exfiltrate the critical assets of the company.
Other than not clicking the link/pdf how can you prevent this? Especially with dealing with a potential valuable client who may or may not turn out to be the attacker.
Layers of security. While the sales associate may not catch the threat, you should have IT systems in place such as network segmentation, monitoring, preventative measures like SIEMS/IDS/IPS etc. Spearphishing is an attach which when done properly is hard for even the most security conscious folk to prevent, and as such the network needs to be set up with proper principles and methodologies in place such that once the attacker gets access, they aren't able to rampage through the entire network.
Picking anything with 5 pins has gotten too easy. What would you recommend I go up to as far as security pins go? Up until now I have only done 4 and 5 pin locks. Wity the exception of the sparrows 4 lock traing pack.
Are you picking stuff with security pins like the American 1100 and Masterlock 410? If so you can start to venture into higher security locks like Mul-t-lock or Schlage primus
Wow. I like that response. 🤣 How to solve it? "well, it is not my problem. I am on the red team" 😅 Yeah spear fishing like this is definitely a dangerous attack pattern. Cyber security, musch like physical security is an interesting and growing field.
Actually, I'd argue that is the wrong response. For one, not being willing to think up solutions means you aren't as likely to be prepared for them in the future. Two, "Oh? You want proposals for possible solutions? Let's draw up another contract that covers that. Three, if you let them know that isn't a part of your contract but you can give them a basic answer is a *great* way to not only get them to like you more but also for them to be more likely to recommend you. Most people don't know what they need when they purchase a service, they know what they want, sure, but generally *they* aren't the expert. When they are hiring you, they *should* be hiring you for your expertise even on a meta level.
What you describe hear is 100% not the users fault. Business need to communicate with customers and this was not a unexpected attachment. This was abused but it's not an education issue. If he was my user I would 100% be telling the CEO it's not his fault and the AV and filtering was the week link. Somthing simaler did happen with some Malvertising a few years back and and I defended the user when the business wanted him gone. What is the point of a RED team if your not going to help the customer be more secure!?! You should absolutely care!
![[60] I was Hired to Legally Break into a Company](http://i.ytimg.com/vi/4pD3AYYKbZg/mqdefault.jpg)
![[60] I was Hired to Legally Break into a Company](/img/tr.png)
![[57] The Power of Pretext](http://i.ytimg.com/vi/ZcFy4_cxSU0/mqdefault.jpg)
![[69] How Far Can You Photo-Decode a Key?](http://i.ytimg.com/vi/r9bjo8tk4qg/mqdefault.jpg)
![[58] The Red Team Tactics of Among Us](/img/n.gif)
Thank you sir. Showed the video to my 13 year old son because he is not yet familiar with this subject. He was sort of shocked how easy it can be. I've known it for years. That said. I grew up with the beginnings. He has just always had high speed wireless interwebs. So anything I can show him how to protect himself is great. I may or may not have taught him how to use my picks. That's only because I trust him to use them responsibly and for the correct reasons. Also he has to ask them from me if he wants to play. They are kept out of reach and only in my control. Hope everyone is staying safe and taking care.
The attacker started with building up rapport as a customer, asking about low expense items and asking for a quote on them. Then continuing to ask for more items that are higher priced making their interaction more valuable to the victim of the attack. After that the attacker moves forward by asking for custom manufacturing of an item building up even more rapport as you talk to them over the phone, in which for most custom manufacturing jobs you need custom plans. The attacker "draws up" some plans lacing the download link/file with the malicious code and there you have it corporate espionage at its finest.
The only acceptable kind of clickbait thumbnail
Some mitigation:
One Deal at a time. Close the simple request, get payment, ship product, begin next request. There were 3 sales in the email chain, and if the requests were genuine, they'd (probably) be OK making the first purchase and second purchase before the file back and forth that led to the compromise. Adding more and more onto an existing order was a warning flag to me.
Counter-Research. As deals get bigger, especially custom order deals requiring engineering time and possibly tooling etc, researching the buyer, looking up phone numbers, looking for public records of the buyer should be par for the course.
The attacker used simple greed to override good sense. We all want that big commission, but the opposition knows that. They have no intention of buying, so racking up a huge shopping cart means nothing to them. Don't get blinded by the numbers. In fact, get more suspicious with the bigger the order. Especially from new contacts with no payment history.
Now some of those junk emails I get make sense. I knew not to reply but did not know how they worked. Thanks
I can totally relate to how this could happen, while my work is more technical in nature, i am often dealing with multiple vendors requesting either whitepapers for products or quotes, and at times my requests are answered by alternate sales staff, and with the time frames of projects being so tight and everyone needing their stuff yesterday something unexpected could totally slip by if we were not already scanning inbound attachments.
It happens all the time. Attackers will always take advantage of those who don't know as much or are just trying to be helpful.
Not exactly related other than how easy it can be for someone to exploit bad security structure in a company, especially if combined with the power of coincidence.
So, I know someone who used to work in a company as the only person in the finance department with a very high workload. Their boss would sometimes see something they wanted to buy through the company and would just email them to transfer some money to some account. Now, this person is by no means the "don't know computers" kind of person, but one of these times when she was writing up the monthly financial reports (extremely high-workload), she got another email from her boss asking her to once again transfer some money to some account, the email looked legit and didn't deviate from what he usually sends, so she sent over the money, he wasn't in the office either so it wasn't like she could walk over to confirm and she was also extremely stressed due to the reports. Either way, a bit later it turned out that the email was from a scammer who had made their email look like that of her boss (unless you click to expand the view of the address). Since no one in the company structure, not even the security expert they had hired for overseeing their security, seemed to have realized that maybe it was due to shit security procedures, she ended up getting a ton of hate and had to quit her job.
No one thinks they're "that person" until they are, "that person."
Of course I would click the link... 🙄
Clearly the real solution is to be anti social and never deal with anyone else in your work. 😀
As was pointed out this person kept on ratcheting up the interest but without ever actually buying anything. If possible I would try and organize a face to face meeting (preferably at their location) to discuss exactly what could be done for them, and to get some sort of assurance that they aren't just trying to pick our brains.
Of course with sufficient reward the "customer" might even purchase some items, and set up a dummy front so that you do accept the emailed documents. The question is always going to be how much is it worth to them (and you)
That _exact_ kind of attack is incredibly easy to avoid: open all documents with a program that can view the contents but is unable to execute code. Like the image preview mode of several image editing software, which will show you a PDF or DOC all right. Of course, that doesn't work for _other_ kind of attacks...
LOL @ "well, that's not my problem. I'm on the red team."
Great video!
I'd take a look at the link, if I was super curious I'd click it too, cuz I use several really hardcore scriptblockers with whitelists, so there is little to no risk of a site being able to action anything malicious on my machine. As far as laced files go, it's good to be wary of filesizes on a windows PC, or even have your sales staff on a VM setup if you are really paranoid. And, as always, definitely don't download and run sketchy unsigned .exe's.
Really in this case where a rapport has been built and the attack is coming from an innocuous vector, mitigation via IT protections such as VM's or highly segmented network structures would have to already be in place. If something like this isn't planned for, it'd he a hindsight sort of situation because it's not the most common attack.
I will click on them but I'm using Linux and have plenty of preventative measures to make sure nothing of consequence happens. I mean, I always keep the attitude that everyone is equally as crafty as I am and as such treat pretty much all interactions the same.
0:05 when i saw this link, i I hovered my mouse intuitively on it
So then the question stands, as a relatively non-tech savvy person (as you might expect in a Sales Manager role), do you then going forward never open a document that a customer sends you (even if it were genuine)?
At what point does the onus come onto companies to have succificient protection on their network/user systems to prevent this attack?
Why must the onus be fully on one or the other? There should be multiple layers of controls in place to prevent this. This is called "defence in depth". At some level security is everyone's responsibility. Cybersecurity insurance policies typically include a requirement that the business have regular security training for users not just pentesting and audits.
@@ZiggityPow That is all very well however the customer is presenting as very genuine, therefore opening the offending document is likely to happen regardless, there should be adequate defences in place to render this approach useless. You might very well teach someone to be wary and to suspect everything but then how do they continue about their business as normal? They would have to run the attachments through software to determine if it is genuine (at which point this should be automatically done on mail server level). If the software is unable to detect the code then surely it becomes irrelevant as to what the person did? They have to be able to read revisions that customers send them at the end of the day.
@@sevro This is all hypothetical, so we don't know. Security is ultimately a balancing act. Risk is likelihood times impact. Lost business costs from the mitigation should not exceed the value of the risk. Risks can be mitigated, accepted or transferred. Residual risks or those with low likelihood but high impact are typically transferred with an insurance policy. The willingness to accept risk in order to pursuit of their goals is know as "risk appetite". The answer here is, it depends on the risk appetite and enterprise environmental factors. If this is a concern at your business, I'd find a consultant with a CRISC certification to discuss this with.
Make mandatory policy to have pdf readers and word processors set to "do not execute any code". Presto. (Which they should be anyways, to `revent viruses - but that's another matter...)
Being computer illiterate. I found this video very interesting. How is a company supposed to do business when the computer contact turns into a real phone conversation and then the attack happens, trust was built up. I think the only way to prevent this attack would be at the computer stage, The sales person would never be trained well enough to spot the fraudulent customer.
Spearphishing is a hard attack to prevent when done properly. At an advanced level the attacker will most likely get in, and its the job of the blue team / IT team to properly implement network security features such that once access has been granted to the attacker they can't exfiltrate the critical assets of the company.
Yes i go to the library and open it there
In it for the long game...
Other than not clicking the link/pdf how can you prevent this? Especially with dealing with a potential valuable client who may or may not turn out to be the attacker.
Layers of security. While the sales associate may not catch the threat, you should have IT systems in place such as network segmentation, monitoring, preventative measures like SIEMS/IDS/IPS etc. Spearphishing is an attach which when done properly is hard for even the most security conscious folk to prevent, and as such the network needs to be set up with proper principles and methodologies in place such that once the attacker gets access, they aren't able to rampage through the entire network.
@@amihirata cool thanks
Awesome video!! Maybe lack of information. It doesn’t say why to click there
Picking anything with 5 pins has gotten too easy. What would you recommend I go up to as far as security pins go? Up until now I have only done 4 and 5 pin locks. Wity the exception of the sparrows 4 lock traing pack.
Are you picking stuff with security pins like the American 1100 and Masterlock 410? If so you can start to venture into higher security locks like Mul-t-lock or Schlage primus
@@amihirata will do. Thank you sir.
Of course I will click on that link. More often than not I get nowhere and receive an error message of some sorts.
I’d use wheregoes to see the real website hidden behind it
wheregoes / virustotal are always good moves
This video is less about spear phishing and more about a pdf reader 0day
surprised just opening a pdf file can be dangerous? especially if it was 'green flagged' by gmail and possibly a companies firewall(?)
Wow. I like that response.
🤣
How to solve it?
"well, it is not my problem. I am on the red team" 😅
Yeah spear fishing like this is definitely a dangerous attack pattern.
Cyber security, musch like physical security is an interesting and growing field.
Actually, I'd argue that is the wrong response. For one, not being willing to think up solutions means you aren't as likely to be prepared for them in the future. Two, "Oh? You want proposals for possible solutions? Let's draw up another contract that covers that. Three, if you let them know that isn't a part of your contract but you can give them a basic answer is a *great* way to not only get them to like you more but also for them to be more likely to recommend you. Most people don't know what they need when they purchase a service, they know what they want, sure, but generally *they* aren't the expert. When they are hiring you, they *should* be hiring you for your expertise even on a meta level.
0:05 I tried
What you describe hear is 100% not the users fault. Business need to communicate with customers and this was not a unexpected attachment. This was abused but it's not an education issue. If he was my user I would 100% be telling the CEO it's not his fault and the AV and filtering was the week link. Somthing simaler did happen with some Malvertising a few years back and and I defended the user when the business wanted him gone.
What is the point of a RED team if your not going to help the customer be more secure!?! You should absolutely care!
I'll empty my cookies first ;)
I wish the whole world could see this video.