Lies and smokescreens.  Maybe.

The names, companies, and domains in this blog entry have been changed
because…well…that’s what you’re supposed to do when you recount
stories like this that involve questions about cracking (what some call hacking) and social engineering.
And I’ve paraphrased the conversations to spare you the length, but I
haven’t changed any meaning inside or embellished what is already a
great story.

To explain, social engineering is a technique that Bad People use to
gain access to resources they shouldn’t have.  It’s easier to
trick a person into giving up access than it is to crack/hack a secure
computer system.  We have excellent policies and procedures in
place to keep that risk at a minimum, but its time for the story…

The Story

Just over three weeks ago, someone submitted a support request form
using our website.  It said, "Hi, I’m Linda Lewis from Borrower’s
Select in Australia and I am the director of the company.  For
many reasons, I need you to reset all of the email passwords for
mailboxes on our account and only send the new password information to
me.  Jake Johanson is no longer an employee, so please only take
instructions from me."  Her contact information included a phone
number and a Hotmail email address.

The support form Linda used can be accessed by anyone on the
Internet.  Hotmail accounts are free and used by spammers and
crackers all the time.  The phone number didn’t match what was in
the billing info for Borrower’s Select, and Jake Johanson was listed as
the primary contact for the account.

Well, we figured it probably wasn’t a legitimate request.  Kyle, a
member of our support team, sent a reply to her Hotmail account and
said, "For security reasons, we need support requests such as this one
to be submitted using the secure help form found in your administrative
control panel.  If you don’t have access to the control panel, we
will need you to verify detailed information from your current billing."

15 hours later (she’s in Australia), she replies to tell us not to take
instructions from Jake; she is concerned he might have access to email
accounts that he shouldn’t.  She also includes the detailed
billing information we requested.  Information that *doesn’t*
match what we have on file for Borrower’s Select.  We immediately
respond that it doesn’t match and might she have other billing
information handy?

For more than 2 weeks, we can never reach her by phone at the number
she has provided or at the main business number we have on file.
She sends us to a government website to confirm her position with the
company but the site is first down for maintenance and later says that
there is no such company!  And the faxes she says she’ll send
never materialize.  It seems extremely unlikely that she is who
she says she is.

I am very uncomfortable at this point.  Are we just letting
someone "social engineer" us by pretending to be someone she
isn’t?  If we keep giving her opportunities, she might eventually
find a way to convince us that she’s legit.

Almost three weeks after her first email, she successfully faxes us some specific documentation.

We have a faxed copy of some identification along with some company and government documentation about her position.  A
quick check reveals that the government website she had directed us to
use earlier really points to a New Zealand subsection of the Australian
Business Number registry, and we confirm the information in the fax
with the proper part of the ABN site.  Her fax gives us two
numbers: the number she had provided before and another number we have
never seen before, but this sort-of makes sense if there have been a
lot of changes at the company.

Is it OK if I still had a few doubts?  We hadn’t reached Linda or Jake at the main business number of file, though when we had spoken with people at the number it seemed like Linda did work there.  I changed the email admin password and Jake Johanson’s
password.  I figured that if Jake had really left the company he
probably wouldn’t notice.  But if Jake was still an employee or
was still watching the email address, he would contact us pretty
quickly and I might get a little more information.  I tell Linda
on Monday of last week what I’ve done, but I don’t give over the
passwords.  I ask what she would like me to do next, hoping that things either settle down or that
Jake will be in touch soon and I’ll know more.

She emails back at 2:30 am Tuesday morning, reiterating her request to
change all email passwords and give them to her.  Still wanting a
bit of delay before we change *all* of the email account passwords, we
send her a new admin username and password and explain how to edit
mailbox accounts.  I know, bad customer service, but I’m nervous
that something still isn’t right.  I figure it will take her
longer to change all of the passwords that it would take us.

Guess who else emails us on Tuesday?  Jake uses the public support
form to ask for help getting in to his email.  We try to stay
neutral: we advise him to contact his email administrator.  On
Wednesday he submits another form, saying that he can’t get into the
control panel (we did change the password).  And he asks us to
email him back at another account at Borrower’s Select.

I have an uh-oh moment.  Linda specifically said that she was
worried that Jake had access to other accounts.  She clearly
hasn’t changed any other passwords.  Linda’s position and concerns now seem fully validated.  So we jump in and change them all lickety-split, and
send her an email letting her know.  We tell Jake again to go to
the official email admin for their domain.

Jake submits another request, this time to our sales team.  But he
gives his contact number: its the original number from our billing
system.  What is going on!?!  OK, I think, maybe its his cell
phone and he took it with him when he left the company.  I go to
their website.  Well, unless they decided to put his cell phone
number all over the website and integrate it into some flash demos, the
number is good.

I look back at the fax we received from Linda, desperately seeking
reassurance that we didn’t give access to a socially maladjusted
14-year-old named Timmy with nothing better to do.  Please don’t
let Linda really be Timmy!

Up at the top of the fax sheet, where the sending fax machine puts its
number and other info, it says that the fax was sent from Ocean Century
Realty.  I’m starting to stress out.  I look up the Realty
company’s website and find that the number for the Realty place is one
of the two numbers Linda put on her fax that didn’t match anything we
had on file.  I get in touch with our after-hours staff and we
agree that its time to change passwords to something only known to us
while we sort this out.

I tell myself, "Maybe there are two company names for the same
place."  So I call the Realty number (it’s late EDT but mid-day in
Sydney).  The man who answers the phone has no idea who Linda
Lewis is.  I’m feeling sick to my stomach at this point, but I’m
glad that we’re changing the passwords so that little Timmy/Linda can’t
do any more harm.  But it does seem strange that Timmy/Linda
didn’t use the email admin username and password we gave him to really
take over the account when he had the chance.

So I call the main business number, the one on the website, the one
Jake sent to us but that Timmy/Linda never mentions in all the emails
we received.  I ask for Linda Lewis and am told, "She’s not in the
office. Would like to leave her a voicemail or call her on her
cellphone?"  Timmy/Linda must have counted on us to not reach the
real Linda at the main line– which we had tried during previous to no
success.  I ask for and am given her cell phone number.  It
looks familiar.  It matches one of the numbers Timmy/Linda sent
us.  Looks like Timmy was feeding us some very real information on
Linda, but somehow got a copy of or faked Linda’s identification and some other official documents.  "Oh
well, we did our best," I think.

I sit and ponder our existing policies, wondering what I can do to
strengthen them.  Heck, we did try the main business number several times a few weeks ago and we had a copy of all of the needed official documents and independent verification of those docs on a
government website.

I call back to the main number for Borrower’s Select.  I ask for
Jake Johanson and leave him a message.  I figure that any Jake and
Linda I can reach through this main office phone number pretty much
have to be good contacts at this point.  He calls me back a few
minutes later and says, "Yeah, we’re having trouble with our email,
nobody can get in."

Just in case, I reply, "Yes.  Linda Lewis contacted us a few weeks
ago and recently asked us to change all of the passwords."

"Oh," is his response.  "Well, we need access again so that we can get our emails."

I think its strange that he didn’t react to that a little bit more than
he did.  "Can you think of a reason why Linda might ask us to do

"She doesn’t work in this office any more.  She is at a new location.  But we’re all here still and need our email."

"Is Linda the person in charge of email for Borrower’s Select?" I ask.

"Yes.  We have a new name here now.  But we still need to get to those emails."

The scattered pieces in my brain come together, finally.  It’s all
clear now.  The website hasn’t been updated yet–the change was
just a few weeks ago.  The phone number is still connected at the
original office site.  When I had called asking for Linda before,
they had politely and professionally given me her cell number without
getting into messy details about her taking the original company name
to a new place while at least a few of her coworkers remained at the
old location with a soon-to-be new name. 

There was never a kid named Timmy trying to steal email away from one of our customers.

"I’m afraid that we can’t do that for you.  Requests for the
Borrower’s Choice domain name will have to come from Linda now", and I
politely end the call.

That was last Wednesday near midnight.  We’re still going to go over
our authentication and authorization policies and looks for holes in
the armor, even though we were right when we gave access to Linda.

It has been a lot more fun to tell this story than it was to live it!


Kirk Averett is the senior director of product for Cloud Office at Rackspace.



Please enter your comment!
Please enter your name here