The link is very malicious, signed to redirect (cause the web browser to go to an unintended/ unwanted/ unknown/undesired web page) a person’s web browser to a website that is (phony and) malicious in nature, seeking only to execute commands that are for clandestine purposes. The typical outcome involves installation of some form of mallard (Kellogg, virus, Trojan, browser hijacker, remote access backdoor, network and password sniffed, data extractor, ransom hijacker, and so much more) on the users computer (keeping in mind the user clicked on the link).
In this case, it is likely that a remote access Trojan with Kellogg capabilities t minimum, with possible network sniffing capabilities, was installed that captured the keystrokes of the user, thus obtaining user name and password, but also trolled through network activity to obtain potential accounts (surname and password) that would have higher level administrative permissions in case this particular user did not have such robust access.
Simply stated, the user was a victim of a social engineering attack whereby the user clicks on a compromised (as in malicious in nature) link that can cause serious network, data and information security intrusion to the entire organization, and not just that particular computer, for the remote access and data trolling capabilities alone will cause the attacker to access any and all desired information first and decide later the sensitivity of it or its true treasured value to the breached organization.
In its simplest form, social engineering was accomplished with the aid of a malicious link sent to the user and the user clicking on that link. When the supervisor mentioned clicking on the URL within the sent email, for the supervisor was answering a supposed legitimate email about a proposed be page error, which only caused the browser to go to a web page that rendered seamlessly without any obvious error, that is the clue that the supervisor was redirected to a web page that merely appeared to be the truly valid web page, but actually a malicious copy of such.
As a result, mallard was then installed which allowed the unknown evil-doer to have access to that computer by installation of a remote access Trojan and data crawler, which offered 24 hour administrative (the highest of permissions) access (as in especially while that user was sleeping) to that computer and, ultimately the entire network infrastructure.
Being that supervisor emails are not made public, it is possible that an individual corresponded by email with a supposed customer, perhaps pretending to be irate and unsatisfied, who was able to obtain the supervisor’s email by causing anxiety upon the unsuspecting employee over an “escalated” situation. Another possible method is that one received a call from a supposed frustrated customer who requested the contact info of the supervisor, perhaps along with name and work phone number, demanding only to communicate with such.
Additionally, one can pretend to be from the Tate attorney’s office or better business bureau, without actually identifying oneself, and suggesting investigation of unresolved customer complaints and/or disputes. 2 SECURITY RECOMMENDATIONS CHECKLIST 1 . Remove Admit level permissions from all user accounts, changing them to only user level permissions, which will prevent applications (and yes Trojan and other mallard) from launching since most applications require admit level permissions for execution. 2. Install Anti-Mallard software with real- time protection and malicious website blocking (i. . Enamelware’s) 3. Install Antivirus software (i. . MacAfee VA or Set) with real-time protection or an internet security suite for greater range of protection (Symantec Internet Security) 4. Activate SO built in firewall to prevent or minimize intrusion insertion and activity 5. Install a robust firewall hardware with comprehensive VA/Antimatter protection, along with IDS/PIPS (intrusion detection/intrusion prevention) mitigation capabilities and enhancements, thus allowing for developing access control lists (CAL), whitewashing, blacklisting and other blocking. . Subscribe to an email blocking and content filtering service, (i. E. Posting) or Profiting appliance that can block malicious attachments, block emails of certain content criteria, and prevent abnormal web browser redirects, warn the user of a potential download (thus giving the user that last chance to say no), and being highly customizable to all kinds of email-related social engineering and pushing campaigns. 7. Develop a network domain capability (Group Policy or WSDL)) to ensure that SO and web browser updates are automatic and timely. 8.
Develop Group policy construct that tightens security of workstations so that only authorized applications can execute. 9. Develop Group Policy construct that strengthens overall security of workstations, including ensuring workstations subscribe to security settings pre-configured and pushed to workstations, reducing authorized users to user-level permissions, and strengthening web browser security. 10. Disable the default Administrator account on all workstations and servers (again, via Group Policy). 1 1. Subscribe to log event management, alerting, analysis, remediation and reporting software (i. E.
GIF Events Manager or Isolations Log And Event Manager). 3 12. Develop Annual And Required Information Security Awareness Training Organization-Wide With Strong Emphasis On Social Engineering And Email Phips inning Techniques 4 MOCK UP How I Would Test The Organization’s Vulnerability To Social Engineering Techniques Would Use EMAIL PUSHING would send a series of emails to a randomized sample of individuals within the target organization. The series of emails would hold randomized content as well, so as not to alert folk within a division of having received the same email which would easily be surmised as potential bad email.
Various email content would include invoice payments, IRS refund notifications, having won free gift, verification of shipping, valued customer notices, invoice confirmation (“see attached”), account expiration due to inactivity, account validation due to possible security beach, and others. This is a campaign that I would execute over a time period as minimal as a week, but definitely over four weeks, so that stakeholders can see the frequency of such as it happens every day, and notice the frequency of users’ subscribing to the email, thus placing the organization in continuous breach susceptibility.
Ultimately, the results of the report would be reported to stakeholders so that they may ecocide the next course of action upon reading the comprehensive report. PRETEXT PHONE CALLS would make various calls designed to get targeted individuals at the organization to become familiar with me, develop a relationship of certain familiarity so the targets can trust me enough to offer certain sensitive information.
Any information that I get is useful information, for it offers a conduit to more information for purpose of executing the next stage of information intrusion. The unsuspecting targets are unaware of the phone calls being nothing more than a ruse to obtain login credentials, network information, surnames and passwords, actual intellectual data, and so much more. In one example, would call as though I am from IT and need to verify an account is properly, closed (or changed) and having that person offer login credentials to test on my end.
In another example, can pretend to be the IT Security vendor doing routine testing of random accounts to make sure configuration changes have not affected accounts in the targets division (i. E. Fiscal), hence need that person’s login information. Still, I can pretend that am from IT and have notification of security breach of the target organization ND I need that person’s account information and others on that floor so I can change the passwords or provide all temporary logins for everyone.
PHYSICAL SECURITY 5 I would pose as a contractor or valid (authorized) vendor for the organization and I can simply come to the organization as talk to an unsuspecting targeted employee about a supposed survey on the effectiveness of “our” customer service, products and services, striking up a conversation with the target in hopes of obtaining sensitive information, or offering up free USB flash drives, which are unknown to the target to be infused with hidden mallard designed o infiltrate the network and provide me administrative account access permissions and 24/7 remote access capabilities.
Now, the target is doing the work for me by distributing the mallard-laden flash drives. In another instance, I can pose as a vendor endeavoring to earn the target organization’s business, so I offer a verbal spill about the products and/or services of my organization. Already expect that the persons to whom I offer my “sales pitch” will refuse for now, and then I can offer promotional flash drives, DVD/ CD and even USB hubs hat contain hidden mallard designed to execute pony detecting the network.