Today, I wanted to talk about a threat scenario that we have modeled recently. In the scenario, the victim was a car dealership, and the target was to commit accounts payable fraud. The testing scenario is a penetration test against a large group of car dealerships, but our research shows the threat to be valid against any number of organizations.
Here’s the basics of the scenario:
- The team found a car dealership with an extensive wireless network. Though the network was encrypted and not available to the public, the team was able to compromise the wireless credentials using a wifi pineapple in a backpack, while pretending to shop for a new car.
- The team used the credentials to return later, appearing to wait for a service visit and working from the customer lounge. (The coffee and snacks were great! )
- The team logged into the wireless network and quickly identified many devices, workstations and such available. Rather than focus on the workstations or attempt an attack on the users – the team instead focused on the shared printers.
- One printer was identified with the name “BackOffice”, and access to the print spool was easily obtained through known default passwords which hadn’t been changed on the device.
- Our team made notes of attack their recon attack path, and left the dealership.
- Once away from the dealership a couple of simple social engineering calls were made to the accounts payable folks, pretending to be a vendor that we had observed at work at the facility. Without any real information, the accounts payable team member explained when we could expect payment, because accounts payable checks were processed every Thursday morning. The social engineer thanked them and completed the call.
- On Thursday morning, the team showed up at the dealership again, pretending to wait for a service appointment. While in the lounge, they accessed the compromised network and printer. This time, taking deeper control of the printer’s file buffer.
- The team waited for the accounts payable staff to submit their weekly check printing to the printer. Indeed, around 10:45, the printer file showed up in the printer spool, where our penetration testing team intercepted it.
- The team quickly edited the file, changing one of the checks in amount (increasing the amount by several thousand dollars) and the payee (making the check payable to a fictional company of our choosing). They also edited the mailing address to come to our office instead of the original vendor. (PS – we alerted the manager to this issue, so that the bill could be paid later — never harm a client while doing testing!!!)
- The file was then re-sent to the printer and released. The whole process occurred in under 3 minutes, so the AP person never even noticed the issue.
- One expected control was that perhaps the AP staff would manually reconcile the checks against their expected checks, but this control was not in place and the fake check was mailed to us (we returned it, of course!).
This is a pretty simple attack, against a very commonly exploitable platform. Poor wireless network security and default installs of printer systems are common issues, and often not given much thought in most dealerships. Even when organizations have firewalls and ongoing vulnerability scanning, desktop controls, Anti-Virus, etc. – this type of attack is likely to work. Most organizations ignore their printers – and this is an example of how that can bite you.
These types of threat scenarios are great examples of our services and the threat modeling, fraud testing and penetration testing available. If you’d like to learn more about these kinds of activities, or discuss how to have them performed for your organization – get in touch. You can contact us via web form or give us a call at (614) 351-1237. You can also learn more about our role and services specific to car dealerships here.
Thanks for reading and let me know if you have any questions – @lbhuston on Twitter.