What information can be found on your network when an attacker has breached your first line of defense.
The below is information we gathered after successfully compromising a clients network.
Credit Card Details
Office 365 login details in plain text
Pictures being send to and from users.
Using a SSL stripper to strip away secure communications we could capture login credentials of various websites using https. Using a specific security stripper we managed to even steal information from website’s using the HSTS security protocol.
Social media account login credentials.
Bank and accounting system login credentials
Why would an attacker be after this type of information.
Well assuming your attacker was unsuccessful in compromising the credit card information I thought I would share the following project we worked on not to long ago.
I received a call from a company informing me that their supplier has informed them that their systems has been compromised . After meeting with the company I was informed the following happened. The customer placed an order to be shipped from their normal supplier to the Head office of which the shipment total cost was equal to $30,663.00
After shipment arrived the supplier contacted the customer requesting when the payment will be made. The customer replied that payment had been done 2 months ago and could not understand why the supplier had made such an request. When proceeded to investigate how the customer was compromised and found no proof that customer was in fact compromised as so stated by the supplier. Further investigating the case we found that the bank account details send by the supplier was changed on the invoice. This lead us to believe that the attacker was intercepting mails to and from the customer to the supplier.
We then proceeded to check the suppliers mail accounts and found that the attacker has indeed compromised the suppliers mail accounts and the attacker has setup the following in order to ensure that mails coming from the customer to the supplier does not reach the intended recipient on the suppliers exchange. This was done doing the following.
On the office 365 account the attacker had setup a rule that any mail coming from the customer is flagged and immediately deleted , since office 365 allows one to purge deleted mails the mails can be retrieved at a later stage. The attacker used this method to intercept mails between the customer to the supplier and not spoofing the e-mail account the attacker successfully managed to steal $30,663.00
Importance of Penetration Testing
Sometimes your suppliers and customers can be vulnerable even if your company had performed regular penetration tests. It is imperative that businesses are encouraged to perform regular security testing and undergo regular Cyber Security Training.
We believed that the above supplier might not have been hacked from breaching its first line of defense but could have easily been intercepted using the methods as described above. This is why training is important and a simple tick in and outlook client could have prevented the above scenario from happening.
What do I suggest you do ?
Make contact with us on firstname.lastname@example.org ( SECURE ICT ) to discuss how we can be of service to your company to protect your data, your mails and train your employees to be vigilant in detecting and preventing these types of attacks. https://www.cybersec-ict.com
I sincerely hope this information is helpful to the reader.
Gerhard Mohr – Senior Ethical Hacker