OK gang, so here is our part of the story.
As many of you may now know, the NCUA issued a fraud alert this week based on a social engineering test we were doing for a client natural person Credit Union. You can find some of the materials at the following URLS:
NCUA Media Release
SANS Storm Center
Once we saw the alert from the NCUA, we immediately contacted our Credit Union client about the situation. The client had received the letter and CD set in the mail, just as intended and called for in their testing agreement. However, on their side, the person responsible for the penetration test was out the day the letter arrived. The receiver of the letter followed their incident response process and reported the suspicious activity to the NCUA Fraud Hotline, just as they are supposed to do.
Upon our contact with the CU, the entire situation became apparent and we quickly identified how the process had proceeded. The employee of the CU had followed the process, just as they should, and alerted the proper authorities to the potential for fraud. We immediately contacted the NCUA Fraud hotline and explained that the process was a part of a standard penetration test. Eventually, we talked with executive management of NCUA and offered them any information they desired, including the source code to the tools on the CDs. The NCUA was wonderful to work with, understood the situation and seemed appreciative of our efforts to help ensure that their members were meeting the requirements of NCUA 748, which calls for the protection of member data against illicit access, including social engineering attacks like these.
During our discussion with NCUA executive management, we discussed me reaching out to SANS and such to clarify the situation and to explain that the “attack” was simply a part of a penetration test. I did this as soon as I hung up the phone with NCUA. The handlers at SANS and I traded emails and phone calls and they amended their release to include the penetration testing scenario. The whole point of this was to add clarification and to prevent people from getting “spun up”, since there really was no ongoing attack in progress.
However, in typical Internet fashion, the story had already taken on a life of it’s own. The next thing we know, the press is picking up the story, there’s an article on slashdot and people are in alert mode. We then set about trying to calm folks down and such on Twitter, through email and such.
The bottom line here is this. This was a controlled exercise in which the process worked. The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement. The NCUA did a great job of getting the word out that such an attack had occurred and the media and security folks did a great job in spreading the word to prevent further exposures to this threat vector. Everyone, and I do mean everyone, is to be congratulated here for their efforts!
The system worked. Had we been bad guys, we would have been busted. The world was protected, once more, thanks to the vigilance and attention of the NCUA and the security community.
Now, about the testing. MicroSolved, Inc. does, indeed, test social engineering attack vectors as a part of our standard assessments. The social engineering threat is a powerful and valid attack vector that often leads to compromise. Our process for testing these engagements is well scoped, well organized and intensely controlled. The threats we emulate are very real (in this case, we even included typos and such in the fake letter). The simulated malware we use is a custom application, developed in house by my team of engineers and does not propagate in any way. It is safe, effective, tested and has been in use with ongoing revision and testing for more than five years. The entire process for testing social engineering has been performed thousands of times for thousands of clients and will continue to be a part of our testing methodology. We truly believe that information security starts and ends with the people involved in protecting the data.
I hope this answers any questions you may have about the process or the alert. If not, drop me a line at firstname.lastname@example.org and I will try and assist you, if I can. I would really like to thank the NCUA, SANS, my technical team and the customer CU for their help and attention on this project. Thanks also, to all of the security folks and CU folks who helped spread the word about this attack vector. Though the awareness campaign was unintended, it certainly has raised the bar for would be attackers if they hope to exploit this in the future. Thanks for all of your hard work and attention!
Oh, and lastly, no, it is not us sending the laptops to governors of the states. It might not even be us sending the next round of CDs, USB keys or whatever new fraud schemes emerge in the future. But, regardless of whether or not it is us doing a test for your organization, or real criminals attempting to exploit you, don’t fall for it! Report these events to the authorities and let’s make use of the process that we have clearly established!
Thanks for reading and make it a great day!
Update: Thanks to NetworkWorld for their help on getting the word out. Thanks to @alexhutton as well for this article.