Undercover Officer
ANONYMOUS
the extortionist, and had not turned off her system since the files were transferred to it, so the IS people had a pretty good look at logs and files to find out what they could reconstruct and get some ideas. They could see that she had, indeed, gotten the e-mail and then clicked on the URL, just as she said. Logs on her system showed an FTP file transfer from an IP address in Bulgaria. In all, there were three files that were named the same as the three we found on her system. They also found some text and GIF files about Greece. The system keeps 20 days’ worth of file caches on what users have viewed on the Web, and if you know where to go on the system, you can see all of it. The team copied everything to a CD. They also copied her Internet and website caches to CD in case we needed them later. They made a complete copy of her hard drive and burned that to a DVD. “Looks as if things happened just as she said,” the internal information security manager told me. After that, we checked her e-mail client and the server backups. She had received an e-mail two days after the initial message asking for money and a credit card number. Luckily, she didn’t give them one. Here’s the interesting part, though. When we were checking the firewall access logs, we found that the same IP address was active 27 times that day to other end-user systems on our network. Twenty-seven times! We did
The Security Drill To know more about increasing security awareness in your organization, read Security Bootcamp on www.cio.in
c o.in
24
S E P T E M B E R 1 5 , 2 0 1 2 | REAL CIO WORLD
Anonymous_Column_September2012.indd 4
It seems e-mail extortions happen a lot more often than most people think. Most companies don’t have a team to block this stuff, and many employees never say anything for fear of losing their job. some checking and found that at least 15 other employees were hit with the same scam on the same day. Why hadn’t anyone told us? I was completely aghast. That’s when I learned about the paranoid users. Some knew it was a scam, but some were truly afraid of losing their job. A few confessed to visiting porn sites on their computer at home and thought this was related. Three employees responded to the threat by divulging credit card numbers and now have problems with charges on their card. We told them what was going on and had them call their credit card companies right away. Then we put some blocks in our e-mail filters to kill off any more e-mails like that one. We blocked the IP addresses from FTP and Web access in case the same culprits try it again. We decided to do the same procedure again if they change addresses or e-mail message types. Filtering is a very on-or-off type of experience. We don’t usually pick up any changes in the attack automatically, and so we decided to see a sample to tune the filters and kill off other variants of the message as well. It was the same problem we had with the spam filters. Spammers have an easy time tweaking messages to get around any filters we set up. What fun. Security gets messy when it involves employees’ privacy and protection from things like this. I have had to deal with the lovelorn stalker
e-mail and the vicious ex-spouse mail several times. This was my first extortion scam, but it turned out, it wasn’t the first that my company dealt with. “We have this down to a science,” my security team told me proudly. “What do you mean by that?” I asked. “Why haven’t I known about the others?” “They happened before you came to work here,” they explained. But they happened. Apparently, we’ve had get-richquick schemes, extortion by people claiming to know where users live and to be watching them, and one that targeted parents and claiming that their kids were being watched. All kinds of awful nonsense. “We usually put in the blocks, save the data to CD, call the FBI and send them copies of what we find,” they told me. “It’s like a fire drill for us now. We know what to do automatically.” “How often does something happen?” I wondered. “Oh, probably 10 or so times a year....” It seems it happens a lot more often than most people think. Most companies don’t have an internal information security department to investigate and block this stuff, and many employees never say anything about it for fear of losing their job. One of my fed buddies told me that the government estimates that several million dollars are lost by employees every year to this sort of activity. VOL/7 | ISSUE/11
9/24/2012 4:10:42 PM