|
donkeyrock shared this story from  I, Cringely.
|
This past week a very large corporation on the east coast was hacked in what seems to naive old me to be a new way — through their corporate phone system. Then one night during the same week I got a call from my bank saying my account had been compromised and to press #4 to talk to their security department. My account was fine: it was a telephone-based phishing expedition. Our phone network has been compromised, folks, and nobody with a phone is safe.
Edward Snowden was right we’re not secure, though this time I don’t think the National Security Agency is involved.
Here’s how this PBX hack came down. Step one begins with looking for companies that have outsourced their IT help desk to a third party company, preferably overseas. There are today many, many such companies and it is easy to find them and to find out who is running their offsite or offshore help desk.
Step two is robocalling at night into the corporate phone system, punching-in each possible extension number. Live and dead extensions are mapped respectively and any voicemail greetings that are encountered are mined for the user’s name.
Step three happens during normal business hours, not at night. An employee of the target company is called at their desk by someone claiming to be from the outsourced help desk company. The incoming caller ID is spoofed to look right, the caller addresses the employee by name, it all feels legit. “I’m from the (outsourcing company name) IT help desk,” the Bad Guy says, “and we’re having an issue with the network, possibly originating at your workstation, so I need you to: 1) install a software tool (malware, virus, etc.) or; 2) allow a remote access session so I can fix the problem.”
It’s social engineering and it’s happening all over the place.
My call from the bank was different. I don’t remember if they said my name or not, but I am a current customer. A friend of mine who faced a similar experience recently was called about an account he had closed but I wasn’t so lucky. I was really tempted to press #4 but precisely because I’d heard of my friend’s experience just the day before, I didn’t. Instead I logged-in to my online banking account where there were no alerts and nothing seemed amiss. My bank can text me if there’s a problem but they hadn’t, and no money seemed to be missing. …Click Here To Read The Full Story >>>
Source:: Donkeyrock_BlurBlog
