IT Security Horror Story: Slow Network, Big Phish

October 29, 2014, Mark Manousogianis, Information Security Consultant, Coalfire Labs

It was a typical morning, just like any other for Annie. She arrived at the office just in time to fill her coffee mug and get to her desk to read her email that had been piling up since Friday. After reading through the standard office wide emails she came across one from the help desk.
 
It wasn’t rare to get an email from the help desk, but this one caught her eye because IT was apparently testing out a new email service. It promised to be faster, more reliable and have better spam filtering than the current email. As a bonus, the IT department was offering a $20 Starbucks gift card for anyone willing to test new email service.
 
Looking forward to the improvement of the email service, and of course being a lover of White Chocolate Mochas, Annie immediately followed the link in the email and logged into the new email server. Unfortunately, the thing apparently was still buggy because every time she tried to log in she just kept getting redirected back to her company’s home page.
 
Annie figured that she would give it another try tomorrow and see if they worked the bugs out…
 
Meanwhile, in a basement 3 states over, James was patiently waiting for unsuspecting users of Annie’s company to click the link that he had sent them. Yes, it was James all along. There was no new email portal, there was no Starbucks gift card. There was only a guy who was trying to steal login credentials to Annie’s company, and it had worked…
 
This is typical of the threat of social engineering.  These targeted spear-phishing attacks are just some of the threats to the “people” aspect of your organization.  This story is a dramatization for the purpose of demonstrating the end-user experience, but is one of the tactics used by Coalfire labs in phishing engagements.

Have a scary story of your own? We'd love to hear your story and help you combat your IT monsters!

Learn more about Coalfire Labs:
Penetration Testing
Vulnerability Scanning & Assessments
Social Engineering
Application Security

Read our other IT Security Horror Stories:
The 100 Million Dollar Getaway
The Ghosts Inside
Breaching a bank in 20 minutes

Past Horror Stories
Truth is SCARIER than Fiction Redux
Is your Network an Unsegmented Haunted House?
Digging your own grave with Default Credentials
Slow Network, Big Phish
The Case of the Phantom Blood Red Team
A Tale of Spooky Hosted Images
Ghost in the Machine
Tale of the Fake IT Rep
Truth is Scarier Than Fiction
The Case of the Phantom Technician

Mark Manousogianis

Author

Mark Manousogianis — Information Security Consultant, Coalfire Labs

Recent Posts

Post Topics

Archives