OK gang, so here is our part of the story.
As many of you may now know, the NCUA issued a fraud alert this week based on a social engineering test we were doing for a client natural person Credit Union. You can find some of the materials at the following URLS:
Once we saw the alert from the NCUA, we immediately contacted our Credit Union client about the situation. The client had received the letter and CD set in the mail, just as intended and called for in their testing agreement. However, on their side, the person responsible for the penetration test was out the day the letter arrived. The receiver of the letter followed their incident response process and reported the suspicious activity to the NCUA Fraud Hotline, just as they are supposed to do.
Upon our contact with the CU, the entire situation became apparent and we quickly identified how the process had proceeded. The employee of the CU had followed the process, just as they should, and alerted the proper authorities to the potential for fraud. We immediately contacted the NCUA Fraud hotline and explained that the process was a part of a standard penetration test. Eventually, we talked with executive management of NCUA and offered them any information they desired, including the source code to the tools on the CDs. The NCUA was wonderful to work with, understood the situation and seemed appreciative of our efforts to help ensure that their members were meeting the requirements of NCUA 748, which calls for the protection of member data against illicit access, including social engineering attacks like these.
During our discussion with NCUA executive management, we discussed me reaching out to SANS and such to clarify the situation and to explain that the “attack” was simply a part of a penetration test. I did this as soon as I hung up the phone with NCUA. The handlers at SANS and I traded emails and phone calls and they amended their release to include the penetration testing scenario. The whole point of this was to add clarification and to prevent people from getting “spun up”, since there really was no ongoing attack in progress.
However, in typical Internet fashion, the story had already taken on a life of it’s own. The next thing we know, the press is picking up the story, there’s an article on slashdot and people are in alert mode. We then set about trying to calm folks down and such on Twitter, through email and such.
The bottom line here is this. This was a controlled exercise in which the process worked. The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement. The NCUA did a great job of getting the word out that such an attack had occurred and the media and security folks did a great job in spreading the word to prevent further exposures to this threat vector. Everyone, and I do mean everyone, is to be congratulated here for their efforts!
The system worked. Had we been bad guys, we would have been busted. The world was protected, once more, thanks to the vigilance and attention of the NCUA and the security community.
Now, about the testing. MicroSolved, Inc. does, indeed, test social engineering attack vectors as a part of our standard assessments. The social engineering threat is a powerful and valid attack vector that often leads to compromise. Our process for testing these engagements is well scoped, well organized and intensely controlled. The threats we emulate are very real (in this case, we even included typos and such in the fake letter). The simulated malware we use is a custom application, developed in house by my team of engineers and does not propagate in any way. It is safe, effective, tested and has been in use with ongoing revision and testing for more than five years. The entire process for testing social engineering has been performed thousands of times for thousands of clients and will continue to be a part of our testing methodology. We truly believe that information security starts and ends with the people involved in protecting the data.
I hope this answers any questions you may have about the process or the alert. If not, drop me a line at firstname.lastname@example.org and I will try and assist you, if I can. I would really like to thank the NCUA, SANS, my technical team and the customer CU for their help and attention on this project. Thanks also, to all of the security folks and CU folks who helped spread the word about this attack vector. Though the awareness campaign was unintended, it certainly has raised the bar for would be attackers if they hope to exploit this in the future. Thanks for all of your hard work and attention!
Oh, and lastly, no, it is not us sending the laptops to governors of the states. It might not even be us sending the next round of CDs, USB keys or whatever new fraud schemes emerge in the future. But, regardless of whether or not it is us doing a test for your organization, or real criminals attempting to exploit you, don’t fall for it! Report these events to the authorities and let’s make use of the process that we have clearly established!
Thanks for reading and make it a great day!
Update: Thanks to NetworkWorld for their help on getting the word out. Thanks to @alexhutton as well for this article.
I wonder if spoofing NCUA is the best idea. I know that I would not be happy if I found out that a company was pretending to be us to fool someone into responding to a social engineering attack.
What do you mean, “if we had been bad guys we would have been busted?” This is part of your “standard penetration test” is all fine and well. I like a little social engineering myself.
But you clearly F’d up. You didn’t account for time out of office/vacation and you didn’t have appropriate contact information to get a hold of your “get out of jail” contact, who could have nipped this in the bud. Perhaps you should included some lessons learned here, as I’m confident the upper management of said CU aren’t real happy w/ their name being dragged about, nor was the NCUA for going into crisis mode. The fact that the media jumped all over it is a testiment to their willingness to report anything w/o getting the facts.
If you really had control over this situation, the outcome would have been different. The test could have been completed, the alarms sounded, and the minor freak-out avoided. – Joe.
Mike, thanks for the comment. Actually, the NCUA seemed OK with it in our discussions. It represents a valid threat vector that attackers might exploit. In fact, in email form, attacks using the same methodology have been logged for quite some time. The new “old school twist” was the delivery via physical mail. As you know, other forms of physical attack, such as dropping USB keys and the like on the premises have been standard for some time. This is simply another extension of manipulating un-validated trust that is likely to exist. While the press attention was unexpected, it shows that the alert process is functional and effective.
I see this as a large scale win for credit unions, the NCUA and information security, in general. It has really raised awareness of social engineering attacks and set the bar higher for criminals expecting to exploit these issues.
#1 – I approved your link because I am a believer in free speech and opinion, but please, keep your tone respectful and if you would like to debate about an issue, that is fine, but please be respectful.
#2 – I think the bad guys thing is clear. The NCUA was about to start the process for inspecting the code and would have traced the attack had we not immediately notified them of the testing. In fact, they had already issued the fraud alert so any wide scale attack would likely have been thwarted.
#3 – Your mistake assertion is simply incorrect. The engagement was properly scoped, managed and performed. Certainly, some expected things happened during the incident handling process, but this is true more often than not. Quite simply, life is a chaotic system and we do our very best to control things, but the unexpected often occurs. Ask anyone who has ever been in a traffic accident about chaos. I do not see any way that we could have performed any differently than we did in this engagement. We had multiple levels of contact with the client and once those contacts were missed, we immediately stepped forward and alleviated the issue as soon as we knew about it.
#4 – The entire process shows a successful capability to handle these threats. Everyone from the NCUA, to the media, to the security community performed wonderfully by spreading the word. Awareness was raised and we set the bar went higher for criminals trying to exploit these forms of attack (like in the “laptops for governors” attack currently in progress).
So, at the end of the day, I extend my apologies to anyone who feels upset by the outcome, but we did everything we could to control the situation and proper safeguards were in place. Did the unexpected happen, sure it did, but I don’t know how we could have avoided it. I am sorry that we caused a commotion, but I think, in the end, it was a positive outcome for everyone. I can’t think of anything we would do differently, if we had it to do all over. In my mind, we communicated with the client, the NCUA and the folks involved as quickly and effectively as possible.
Thanks for your input and feedback. I appreciate you being a reader and I value your input and right to an opinion.
Awesome Job. That the intended contact was not there made this a real world test and the employee who blew the whistle should be congratulated on a job well done. The fact that the alert went out means that many more people were educated against one potential attack vector.