What microattacks constantly go to the office: children's sotsinzhiniring and phishing

Hello!

We have a variety of contacts sticking out, including the founder’s direct mail and all department heads. Well, of course, office phone, call center contacts and all that jazz. On checks printed telephone numbers of regional managers.
')
Accordingly, 80% of this infrastructure is constantly undergoing by small, let's say, household social engineering attacks. From innocent and even naive to damn inventive. Inventive socially.

Common Attacks on Shared Contacts

As a rule, the company looks outside the mail type info @ and the telephone of an office or online store. Any advertising agencies, printing houses, cleaning services and SEO specialists really want to sell something to a more or less large business. Therefore, they take the phone or address and stupidly throw off their proposal, hoping that it will go where it should. Naturally, it falls exactly where necessary - in the basket. Fortunately, all offers of this kind are made the same way and do not differ much from regular spam.


^{How to become a pharmacy chain in 5 minutes}

The second level is that all these lovely people who want to sell you something, hire an external call center to make “cold” calls. This is a real spam industry. The sole purpose of such a call center at an auto source is to get the name of the decision maker and his contacts. And here begin the attempts to attack with secretary or secretary of the call center operator.

Harmless option:
- Hello, and this is the purchasing department? Oh, and combine with purchases, please.

A little more complicated, childish, but still working reception of a “ticking timer”:
- Good day. The publication "Business Moscow". Today we would like to receive a comment from the general or commercial director of your company on the sales performance in our region. Please connect with him or give direct contact.
- ...
- How can I contact him? We need to do it today before lunch.
- ...
- Thank you, what is his name and patronymic?

Naturally, the correct reaction is to get the contact of the “journalist” and send it inside, not letting the person go any further. Or give a public redirect to the mail of the one they asked.

The third stage, there has not been without LinkedIn or exploring the site. The call is made at 9:55 am, or at 18:05:
- Hello! And Daniel is now in place? Not? Urgent question from Labean LLC regarding the order 2512, give his phone number, please.

And the most reaching option:
- This is Roskomnadzor, there are a couple of questions, urgently a manager! You have 10 seconds to switch.
After the switch will be this:
- Hello, Irina, Labean LLC. Tell me, what system of accounting do you use?

The correct answer would be: “Then you have 5 seconds to introduce yourself and present your official ID in an expanded form.”

Next stage

The first “cold external” call center can simply work as an API for getting company contacts. These contacts can go directly to the customer, or, especially in the case of advertising and production companies, in the second “cold” CC. There the operators are trying with all their might to reduce the contact to the meeting. But they do not know how to answer questions at all.

I note that, in general, there are no vulnerabilities in the second case as such - social engineering does not go beyond the limits of socially acceptable. The main problem is that once you get into such a database of at least one advertising agency, your contacts will be scattered around the world.

I gave different people different mails and different phones, and then for a couple of years I watched the dynamics. The most pleasant surprise was that the subway advertising service (billboards above escalators) distributed the base of its customers to everyone. I am happy that they were cut out from the market.

By the way, in domestic terms, such a spreading of contacts reminds of the work of Akado operators - these devils called me 8 more times within two years after disconnecting and announcing that PD processing was stopped. The first two times I just explained to them what would happen if they called, and then I began to persuade them to leave for the installation two times to the old address, two times to the address of a friend of the private security company. Something no longer call. Probably mounted.

The following method: "You are so cool that I already okosel"

If there is a post of the right person, something similar to the beginning of friendship with a journalist is written there. They are friends with a journalist like: they praise him for the last two materials and suggest a topic for the next one. Hence the saying in a professional environment: “Do you love me, or is it PR?”.

So, the template letters begin to fall on the mail in the spirit of "I bought from you, delighted, everything is cool, I just noticed that you are not using Direct to the fullest, let's meet." Sometimes it's true. It’s simple to distinguish: if the letter has at least minimal specifics, it’s a real person. If you can replace your company name with LLC “Channel, Beam” and the essence does not change - this is spam.

It happens, sometimes they immediately offer something free, for example, an audit. The result of this audit is more contacts and a commercial offer. In general, the same simplest sales method; yet without tricks.

Once we have an animator (which is about events, and not about cartoons) replaced a girl-on-phone for a couple of hours. I witnessed the most interesting dialogue:
- Mosigra, hello!
- ...
- Yes. Yes. On an important question? No, he can not now. Send by mail.
- ...
- Dictate. “Pi”, well, how “re” is Russian, then “o”, then “es” as a dollar, “h” which is “x” English, “e”, “l”, “en”, “hey” as “a ", Again," HR "as" x "," Y "," and "with a dot. Mosigra dog point pv. Read, all right?
- ...!
- Exactly. Vooot, you said it yourself. Goodbye.

More to the phone, we did not let him.

I adore the thinking of our animators. They sometimes make excellent social engineers. This job.

Do you have a couple of minutes to talk about God?

There is also a more clever pairing strategy. For example, a person calls and says that he is a journalist of such a publication (or site, or something else), and really wants to get a comment for just a couple of minutes. Since journalists need to be cherished and help them in every way, sharing open data is not a breeze.

The only problem is that this is not always an interview. With some probability this may be the collection of information about the infrastructure - for example, which ERP software is used, etc. Accordingly, then you will find yourself in one or another base for further use by those who specialize in this topic.

The second divorce is asked to take part in the industry survey for the results (poll now, results later). After the survey, in a couple of days, the result comes in and a “gift” from some company, like a discount or a free audit.

The third theme is sometimes yes, they interview you, then they publish it somewhere on the news site in the “100 views per month” series, and then they start to get it with their product. So one beautiful lady was noted, selling call center solutions. I do not understand one thing: if you have a good product, then why such tricks? If the bad - really there are people who buy "an acquaintance" after such feints ears?

The effect of all in the copy

This is not sotsinzhiniring, but getting things.

Some contractors began to put all the mail found on the site into a copy. Apparently, for the same reason that put a few exclamation marks at the end of the sentence. So in 99% of cases spammers do it, so emails are immediately perceived as not very trustworthy. Plus, most of the time, nobody responds to these letters, because he thinks that another department in the copy will answer.

It is more correct to put one person in “to whom”, the rest - in a copy and immediately write to whom the letter is addressed. It's like in critical situations - do not shout, "Someone, bring a car first-aid kit," but rather select one and say: "The man in the red cap. Yes you. Bring an urgent first-aid kit out of that inverted car. ”

The most unpleasant thing in this situation is when they drop one letter for each sparse mail, and then three more days from different people go to the head of the corresponding unit forwards.

Special landing pages

From time to time on personal mail falls "sharpened" under the person co-engineering. As a rule, this is phishing with a transfer somewhere, where you need to enter a password. Standard protection cuts off almost all this rubbish (the main thing is to teach the user not to disable the antivirus on personal laptops - or simply not to give him such opportunities at work).

The last bright case was last year - they sent an attachment with the virus “judicial decision on LLC N” (“N” is our counterparty), the girl “could not” open it (or rather, opened the doc without any visible effect) and sent a colleague to try on a nearby laptop. Both did it in personal cars. And remember this case for life.

More often, letters arrive where it is clear from the text that it is not you personally, but you “accidentally” got into someone else's important correspondence between your two contractors or suppliers. And here is an important link (contract, for example), just click.


^{Do not click on the attachment. And even more so, do not carry it to the RDP terminal to open through the browser there.}

Example:

Dear Colleagues!
Hello!

We are informing you that our company is currently checking documents,
since we do not have an application №8 to our contract with you,
I urgently need to sign it and deliver it to us by courier,
I attach the application of the contract in attachment, as well as the act of reconciliation for the current date
which also needs to be signed:

Thank!

Sincerely, Accountant Nimbus LLC, Svetlana Nikiforova

Applications (2)

1) Application.rar (link)
2) Act of reconciliation.rar (link)

Award as a way to take contacts

Once we were pulled out of our contacts in a very interesting way, inviting us to be awarded. There was even an award site; there were a bunch of people who would come. The problem was that we didn’t apply for this award (and didn’t apply for anything at all), but it was supposed, apparently, that this is a very cool way to go through the secretary and get all the right contacts at once for joy.

Suspicion

Naturally, the main mails are outside of what “sticks out” outside, that is, an alias to “to” is issued by an external person or already in dialogue with us. At the same time the degree of paranoia is still growing.

Once I was called by the organizer of a retail conference to say that I have not responded to the invitation to participate as a speaker for two weeks. I honestly admitted that I threw off her letter in spam, because it was large, incomprehensible, and very suspicious due to the fact that the topic was "We invite you to take part in an important conference." I remembered it, thinking that this is a new kind of phishing.

Once again, the new employee took a long time offended that I did not answer. The investigation showed that she sent a letter with the following subject: “Do not delete, please, this is not spam !!!”. And she gave him a high urgency. A year later, the same trick was repeated by another nice girl from another division with the same effect.

Iterative traversal

One day a man called me, who introduced himself as a director of the company RSS (office equipment service). And he began to talk about what we are reasonable people with him, and how our companies should cooperate. To the point, he passed in a couple of minutes: he said that he needed to urgently remove the negative feedback that our support staff left. The essence of the response - did not perform the work in the promised time, and when we called, we were surprised and appointed another month. I check the facts right in the conversation, even before communicating with technical support (hereafter - dialogs from memory):
- Wait a minute, you promised the SLA for 4 days, right?
- Yes.
- We called on the 5th, right?
- Yes.
- Before that, you did not say anything, right? And you only said that it would take at least another month? I understand everything correctly?
- Yes.
- So what's the matter?
- Yes, our cant. But, you see, your admin had no right to leave such a review ... We are serious people!

Ok, I think maybe maybe they didn't understand it. I take a timeout, contact with the IT service, find out. Yes, it was so. There is also a second review - they wanted to take a server for repair from us, and they wanted to replace the motherboard (it seems). So repair would be more expensive than buying a new server. We ordered from another company in a few days and received within a reasonable time and at earthly prices. What the sysadmin and wrote.

Second call I say: I checked the facts, I don’t see any reason not to trust the sysadmin, you yourself have confirmed everything. What's the matter? The dialogue turned out like this:
- Well, it's YOUR employee.
- So what?
- Let remove the review!
- Why?
- He had no right to write on behalf of the company.
- He wrote from himself. I do not see there is an official form or something.
- Prohibit him from doing such a thing!
- Why?
- But I will buy a game from you, I will write a bad review, what will you do?
- Imagine, rejoice and fix the service somewhere.
- What, you even do not ask to remove it?
- Not.

It seems that this put him in a dead end, and the “director” did not call anymore. We then “punched” this comrade in addition and found out that he was just a manager.

In general, fortunately, I have noreply@mosigra.ru mail, and therefore I ask such people who bypass everyone in the company to send a written request there. While valid. For some reason, do not write.

Noreply

Recently, a person wrote a simple noreply with the word "Hello." I said something like “Hello,” and then I thought for a long time what kind of phishing it was. Maybe my signature is needed, where is the phone? So he and so on the website is specified ... It turned out, habrauzer tested whether it is true such mail works for us.

Calling for calls

Fucking payment systems somehow clung like a bath sheet and did not let go even after a direct refusal. Favorite phrase - “The last time we talked a couple of months ago, then the story is not over. Has something changed? ”. Like, I did not refuse, but postponed.

Often, when you ask for specific things like “count this or that for us,” they say:
- Good. I'll send you a presentation.
- Do not.
- Why?
- You count for us and just send the numbers that I requested.
- Well, let us see ...
And still sent.

Often try to impose a meeting with the first letter. Like, let's discuss this important question when to come to your office? Never. But to answer so rudely, so I ask the agenda of the meeting (main points) how it is done within the company. And it turns out that there is nothing to talk about.

Another cool thing is when advertisers at the end of the dialogue ask when it makes sense to call me back. First, I called real data, for example, in June - “Well, I will again choose a counterparty in this area on January 20 after 14:00.” Then it turned out that they call back. Realistically. After 14. And assuming that I do not remember what I say, they begin - “You asked to call and remind about ...”. I did not ask. "We agreed to call" - we did not agree. Someone gave them a textbook on NLP, from where they learned only basic presuppositions and began to climb people in the ass without soap. Fortunately, it is for these constructions, exposing the beginner pikaperov and advertisers, they burn in the dialogue almost immediately.

Now, when at the end of the dialogue they ask me when to call back, I ask why. And the man is lost.

More holes

Data can flow from the funniest places. For example, freelance exchanges seem to have been broken a couple of times with PD leaks. Somewhere on the sites moderators watch the correspondence between users. Plus a lot of similar jokes in random unexpected places. For this, I love the Soviet language scheme Vkontakte:



Does not allow to relax.

but on the other hand

Sometimes you need to look into a spam collection. Facebook, for example, has painstakingly filtered all the appeals of journalists and various people writing to me with links to me since March and decided not to show them. I only saw a week ago and was shocked by how much everything flew past.