A very interesting alert came from the National Credit Union Administration last month regarding a fraudulent letter and accompanying CD. The letter and CD were sent to an unnamed credit union, indicating they were from the NCUA when in actuality they were not. An employee of the credit union told the NCUA about it, prompting the alert.
It was very quickly learned that the letter and CD were sent by a consulting firm contracted by the credit union in question to conduct penetration testing and social engineering testing. The consulting firm, MicroSolved, owned up to it and praised the client credit union for doing exactly what they should be doing: Reporting suspicious activity to the appropriate authority. In his blog, MicroSolved CEO Brent Huston expressed his admiration for the whistleblower, the NCUA, and the multiple media and Internet outlets who made this incident into an inadvertent “awareness campaign” regarding the dangers of social engineering.
MicroSolved got a considerable amount of heat for impersonating the NCUA and for using the NCUA’s logos, names, and likenesses. Whether this is ethical or not, it is probably more effective if not necessary to use those likenesses. Are real-life attackers going to be following the rules of “we don’t use logos to impersonate agencies?” Of course not. And the most effective tests are the ones that most closely resemble the real-life scenarios. Unless real fraudsters have the ethics to not use the agency’s likenesses, the people complaining about this firm’s ethics using them should really be complaining about something else. The priority should be keeping businesses’ information safe, not the proper use of names and logos.
Social engineering is a tactic employed by malicious attackers that instead of targeting weaknesses in computer systems, targets human beings as a way to gain unauthorized access to confidential information. Social engineering preys upon trust, curiosity, and authority in a variety of different ways, including bogus emails, phone calls, letters, CDs, or other means.
GraVoc Associates, Inc. is celebrating fifteen years of business serving Greater Boston, New England, and beyond in the fields of information security, information systems, and professional services. With three CISMs on staff, GraVoc brings a high skill level to its information security consulting practice. As a service to its clients, GraVoc posts items of note such as the one above to increase awareness of constant changes in the information security landscape. For more information about GraVoc’s offerings in information security consulting, please visit www.gravoc.com or speak to a representative at 978-538-9055.