Social Engineering – Gungon Consulting

A complex, social engineering attack exists and it targets job seekers. Folks make bad decisions when they are desperate and scared, criminals know this. Numerous intricate social engineering cons happen, look out for one called a “Mule Scam.” These attacks target the unemployed, mostly through job boards, LinkedIn groups, and resume posting sites.

An acquaintance of mine shared his story with me to help others protect themselves. This man is an intelligent, conscientious man, that was scared and desperate, who saw what he wanted to see, and, in the end, it cost him thousands of dollars. Before you judge, understand the fear and anxiety that goes through the mind of a successful individual that can’t provide for his family.

The con started with a foreign business asking him to translate communications between their European business and the “new,” American market, they are trying to penetrate. He simply took email messages and re-wrote them into proper English. He performed this task about a half dozen times and earned a couple hundred dollars. The deal seemed harmless, turns out, this was the hook.

The email messages were basic, telling the story of a European online auction site that provided high priced items to collectors. Some notes thanked customers for their purchases. Other communications discussed activity with “representatives” who were “financial intermediaries” that took money from buyers and, after taking a small cut, sent the remainder, via wire transfer, to the business based in Europe.

My source was happy with this small amount of money and hoped the business would ask him to become a “representative” as he would make ~$2,000 per month in addition to the commission on all transactions, simply by taking money into his PayPal account and transferring it via wire to their business in Europe. He believed the activity was a good will gesture as, he was told, PayPal has low dollar limits in Eastern Europe. His work was “kindness” as this business wanted to supply their goods to American’s and “nice” people allowed them to do this by acting as a “financial intermediary” to get around PayPal’s limitations.

After a couple of weeks rewriting bad English, the offer came forward. My acquaintance provided screen shots showing his PayPal account had no limits and that he was a “preferred” member. He also sent a photo of a redacted driver’s license showing his new employer that he was a human being and did exist. He even had a phone interview and discussed the opportunity. He did Google searches on the company and the position and even found Scam Advisor rate the business as 100% safe.

The first deal came forward. A simple eBay transaction for goods that cost around $2,250. His contact with his new “employer” provided shipping information and when the buyer received the merchandise, he sent the money, minus fees, from PayPal to his bank account. After the money arrived, he then wired the money to a bank in Eastern Europe. He was allowed to keep hundreds of dollars for the typing and his commission. It all looked great.

The following week another transaction came into his PayPal account, this time for a larger sum. He was pleased. This meant another couple hundred dollars in “salary” after PayPal took their cut, money for his family, or so he thought. The “employer” contacted him with shipping information and his American contact called to follow up as well. The phone call made sure he would promptly move the money to his bank account and wire funds as soon as possible. No problem, all was on the up and up, as far as my associate was concerned.

While the money was in transit from PayPal to his bank account he received a call from eBay. The customer service department noticed strange activity on his account and wanted to know what was happening. After about 30 minutes on the phone, and validating through questions that eBay was really eBay, it turns out my acquaintance is the victim of a “Mule Scam.” He’s the middle man for criminals, taking money for false transactions and then wiring the money to con artists in Europe.

Thanks to eBay, my contact was able to move the money for the second transaction back to his PayPal account. Unfortunately, since my acquaintance was neither a buyer nor seller, PayPal does not insure the money and he now owes PayPal for the first transaction. Since he already wired money to Europe, he has to come up with this money lest PayPal “take him to court.”

My contact is intelligent, diligent, and thoughtful. He failed to follow the basic tenant that if something seems too good to be true, it probably is. He also didn’t pay enough attention to realize the con artists used email from a 3^rd party, not the domain they were supposedly working for. Lastly, he should’ve wondered why eBay was involved when the auction house was supposed to be in Europe.

There are many morals to this sad tale, not the least of which is beware of social engineering. Con artists are smart, detailed, and they prey on scared and desperate people. Pay attention, be alert, and listen to your inner self, if something seems amiss, it probably is. Don’t fall prey to scams and be especially aware during desperate times.

How do you know the person sending an email is the person you believe it to be? How do you know the person on the other end of that instant message is the true account holder? How do you know the text you just received came from the owner of the phone? All employees must show vigilance and to be vigilant they have to have process and proper expectations.

Imagine a stalker finding the name of the senior VP of HR on LinkedIn and then calling IT pretending to be that individual, demanding his password be reset. Next, the criminal contacts his victim’s manager via email asking for personal information about the individual?

How about a hacker pretending to be the CFO and then sending an email to an accounts payable clerk to cut a check to a 3 party vendor for services rendered. This false CFO then follows up that email with a quick instant message. How many employees would think to question this? Does your business have processes and training in place to protect your business from these types of attacks?

Social engineering, also known as human hacking, takes on several forms. Some as basic as a phone call with the caller pretending to be someone they are not, others as sophisticated as outlaws getting a job with a cleaning crew or telephone company for physical access to an environment. Corporate leadership must understand the risks of social engineering and take steps to protect their organizations.

One of the greatest “hackers” of all time, Kevin Mitnick, would pretend to be someone he wasn’t to gain trust, and later access, to company systems. He was so thorough in his actions he once joined a cleaning crew so he had physical access to environments where he easily penetrated their systems and stole valuable information. Social Engineering grows more and more sophisticated and much of it comes from what Kevin Mitnick started decades ago.

Ever notice how almost no one locks their computer when they walk away? I’ve seen lawyers, human resources employees, and even the controller of an organization leave for long periods of time without locking their computers. How much critical, private, and personal information do these employees have access to? How difficult is it for a disgruntled employee to walk into one of these offices, close the door, and have at the information these key staffers have access to? How hard would it be to get on their managers computer, or an HR system during a company event, or lunch break? Once on the system they could send payroll an email pretending to be a person of authority, and ask for additional funds to get transferred as a “bonus” or “expense reimbursement?” Does your organization think in these terms? If not, it should.

One company I worked at had a situation where an outside party registered a similar Internet domain name to ours. They then created email accounts using the CEO and CFO names. The criminals sent an email to the controller pretending to be the CEO asking the CFO to wire money to an account. The controller began the process to send the money. Internal checks and balances caught this employee’s error and prevented the funds transfer. The controller made an egregious error, fortunately process saved the day. Does your company have this protection? Does the leadership of your business have the awareness to protect corporate funds from attacks such as this?

Most people are aware of phony email when it comes from a trusted source. For example, when a friend or co-worker sends the ubiquitous message “Hey check out this cool website I found…” we all know this is bogus and we stay away. It’s important for business to reach this level of awareness for the more sophisticated human hacking attempts mentioned above as well as dozens of others. Leadership has an obligation to protect company information. The way around the vast majority of attacks is simply awareness. Processes and procedures must exist that protect against human error.

Humans are easier to hack than computer systems and networks. Most people are raised to be kind and helpful leading them to inherently trust others. The concept of bad people taking advantage of the good and honest does not sit well with most people. Unfortunately, evil exists and we all must have awareness and behave in a fashion that balances our desire to help others while protecting that which we are responsible for. “Protecting the organization from being victimized by hackers using social engineering tactics has to be the responsibility of each and every employee – every employee.”[1]

Like Gungon Consulting on Facebook
Follow us on Twitter @Gungonconsult

Eric Jeffery has 20+ years’ experience with Information Technology including stints in the Retail, Aerospace, Defense, Hardware, Entertainment and Healthcare industries. Eric has a Bachelor of Arts degree in Economics from the University of Colorado at Boulder. Mr. Jeffery recently founded Gungon Consulting to help businesses solve the exact problems mentioned in this article. You may contact Eric at eric@gungonconsulting.com.