I Got Hacked…At…Maybe…

by. Richard Bradfute

I Got Hacked…At…Maybe…
Well, it happened…probably. I was just getting back to my office after board meeting on Tuesday when I got one of the ever-occurring phone calls from a company wanting a few moments of my time to schedule a date so they could take more of my time to sell us something we don’t need because we already have it. Now, I’m always listening for ways to improve, and part of my job is to evaluate new technologies, so if the product seems somewhat interesting, I’ll take an hour and look at it. This one did, because it was a security product, so I said, “Yes.” We scheduled a time, then she – the caller was a “she” – asked me for my e-mail address, and something inside me went “click”. I don’t normally give out my e-mail address over the phone to a stranger, and I told her so, and then the conversation got really interesting.

Me: Now, who do you work for?
She: MX CoolCo
Me: Just a second
I googled it, and the site looked more than legit…These people spent a ton of money on it.
Me: I’m sorry…what is your name again?
She: Gia Camacho
Me: Gia, I am not trying to be rude; I’m just a little paranoid about giving out information to people I don’t know or know about. I’m sure you understand. How can I verify you are who you say you are?

Now, l’m telling you that I do this all the time, especially lately, and the caller ALWAYS appreciates or at the very least understands my caution, and I have ALWAYS been able to verify the legitimacy of the call…until now. When I asked my last question, she acted like it actually hurt her feelings. Are you kidding me? Telemarketers don’t even have feelings after people hanging up on them all day, day after day after day. It was either her first day on the job or something was going on.
Something was going on.

She: Here’s my number; you can call me here at 555-555-5555
Me: Gia, that number doesn’t match the one on your website.
She: Well, I don’t actually work for MX CoolCo. I work for a company the sets up meetings for MX CoolCo, but you can call me at the number I gave you and we can continue.
Okay. Now, it’s been a long day after a brutal week before, but there’s no way I’m so out of it that I am going to call her back at the number she gave me to verify she is who she says she is. Peter Griffin wouldn’t fall for that one, even after a night at The Clam.
Me: Who do you work for, then?
She: BestSysEver in Dallas.

I googled it, and their site looked like it was developed by a third grader – no insult intended to our young readers out there – and the number she gave me doesn’t match the one on that site either.
Let me recap this: I, a man, get an unsolicited call from an attractive-sounding woman with a pretty name who wants my e-mail address, and she gets her feelings hurt when I very politely try to verify her identity, and the more I try to verify, the more desperate she gets. It actually sounded like she was going to cry.
Suspicious? Yeah.
Me: The number you gave me does not match that site either. I’m not trying to be rude, but I will call you back if I can verify you are who you say you are.
And I hang up before she has a chance to respond.

Now, Gia could be her real name, and she could work for BestSysEver who could drum up business for MX CoolCo and Tuesday could have been her first day on the job, and I could have actually hurt her feelings by asking a simple question. It’s possible, but I’m not buying it yet.

She may well turn out to be legit, but the point here is that we all have to be careful. We have a very complex security system to prevent hackers from getting in our network from the outside, but we don’t have a firewall to protect our employees from human hackers.

I can hear some of you right now thinking, “So what’s the harm in an e-mail? We have anti-virus and a lot of other firewalls to protect us.” You are absolutely correct. You know it, I know it, and guess what? The bad guys know it, too. A tried-and-true trend is to specifically target C-level execs (CEO, CIO, CFO, Cashier, etc. and the rest of you are targets, too, so don’t feel left out!) by sending them an e-mail that installs a custom designed virus on their respective computers. That virus captures everything that person does on the computer, including passwords, trade secrets, internal e-mails, etc. and sends it all to the hacker.

And here’s the best part: It is completely undetectable. No anti-virus or firewall can stop it because they can’t see it. This is not an abstract fear. It is common knowledge that several BIG TIME companies have been infected for months to years and did not know it…until it was too late. And, we have all seen in the news ransomware attacks that have extorted 6-figure sums from public entities. How did that happen? 99% chance it was from a malicious attachment or link in an email.

Now for the mini-sermon: Be careful! Do not open attachments you are not expecting and NEVER open an attachment from an unsolicited e-mail. EVEN IF YOU KNOW THE PERSON WHO SENT IT. Go old-school and pick up the phone and call him or her! Low tech can often trump high tech! I’m just sayin’…
I love the joke, “I’m not paranoid, I just think everyone is out to get me!” Make no mistake here: Everyone is not out to get us, but some people are. We all have to be very, very careful because we don’t know who is who.

I’ll keep you posted as I pursue this possible social engineering attack.

Author’s Note: Gia Camacho, BestSysEver, and MX CoolCo are not the actual names of the people and companies involved. Out of the abundance of caution, I have substituted the actual names in my experience with these.