Podcast: Play in new window | Download

Subscribe: RSS

Ep 1: A New Twist on the Tech Support Scam

In Episode 1 we talk about a data breach notification from Cox Communications in December of 2021. In the notification, they disclose someone was able to gain access to some of their internal tools, and as a result customer account information after using social engineering tactics. They did this by impersonating a support representative.

Having spent 9 years in the cable industry I developed my own theory as to how this could happen. Have a listen

The original article is on Bleeping Computer here.

Transcript Ep 1: A New Twist on the Tech Support Scam

0:00
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted, and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity, and data, the human element has to be front and center in the war against data breaches and ransomware attacks, it’s time to educate.

0:52
Welcome to the human element podcast, visit our website at thehumanelement.net. For more content to help you strengthen your awareness of the people problem in cybersecurity, I am Scott Gombar, owner and Washtech a client-focused, security-minded proactive IT service provider. This is episode one a twist on the Support Scam. Where a lot of us have gotten that phone call from someone claiming to be from Microsoft or Apple saying there’s a virus on our computer or they detected unusual activity coming from our computer or whatever the case may be. And usually, we don’t fall for it. But I am aware that some people do fall for it. And I like to toy with those people. And I haven’t unfortunately, I haven’t gotten that call in years. But I know it exists. In fact, I know that at one point. Before in Washtech, there was I had an onsite support company called Tex or us and we were our name was used in a scam before. Unfortunately, the person they tried to scam was easy was able to identify that it was not actually TechsRUs that it was you know someone pretending to be TechsRUs. So it’s out there. So if you get a call from someone saying it’s Microsoft or Apple saying that, you know something wrong with your computer, or malware or, you know, they identified some strange activity, it’s not real. And I think at this point, since I haven’t gotten that call in years, I think it’s safe to bet that they realize, at least the Microsoft and Apple ones don’t work. And I’m aware that there are other versions of this Tech Support Scam out there. And I’m aware that does a Customer Support Scam very similar that usually comes from banks and things like that. And we’re going to talk a lot about those things over the next. I don’t know how long I plan to continue this podcast or how long I plan to blog about it and so forth. But I recognize that it is probably the single biggest problem in cybersecurity and that is people are the biggest problem. And I don’t mean that in a negative way. A lot of it goes back to education not always sometimes it’s malicious in nature sometimes. You know, we just don’t care whatever it may be, but most of the time it’s education and or culture. And by culture, I mean work culture, your workplace culture. Well, this is a scam that tricked Cox cable company into allowing somebody access and those details haven’t fully been identified. And I’ve got this from Bleeping Computer. This is actually from December of 2021 December 9 2021. It was shared by Lawrence Abrams, who I believe is the owner of bleeping computer COMM And so I found it interesting because I worked in another cable company, not  COX Cable, but I worked in another cable company for nine years. So I’m aware of how the internal workings of a cable company are and how they work and they’re all very similar, which leads me to believe this is probably somebody who worked for Cox or a similar cable company at some point and kind of knew what they needed to do to get in. So here we go. Cost communication has disclosed a data breach after a hacker impersonated a support agent to gain access to customers’ personal information. Cox communication aka Cox cable is a digital cable provider and telecommunication company that provides Internet, television, and phone services in the USA. They’re one of the larger ones. So you’re probably aware of who Cox is. This week customers begin receiving letters in the mail and again, this is back in early December. disclosing that Cox Communications has learned on October 11, that an unknown person or persons impersonated a COX support agent to access customer information. There are a lot of details about the security incident, but the hacker Lake Use the social engineering attack to gain access to Cox internal systems that provided information about customers. So I can tell you, what probably happened is they called into the customer support line, whatever the 800 number is. And when a rep picked up they pretended to be a rep from another department and probably gained access to systems that way or information that way.

5:30
Rather than saying I’m you know, customer XYZ and I have this issue, they said this is rep XYZ and need some help with this customer account. On October 11, 2021, Cox learned that an unknown person had or persons had impersonated a Cox agent and gained access to a small number of customer accounts. We immediately launched an internal investigation took steps to secure effective customer accounts and notify law enforcement of the incident reads the data breach notification signed by Ambra Hall chief compliance and privacy officer of Cox Communications. After further investigation, we discover that unknown person or persons may have viewed certain types of information that are maintained in your Cox customer count, including your name, address, telephone number, Cox account number Cox.net, email address, username PIN code, account security question, and answer and or types of services that you received from Cox. And you know, there’s a screenshot of the data breach notification and there’s a list of stuff that they believe was accessed name, address telephone number Cox account number Kazakhstan email, username PIN code, which your username is usually your email. Or I’m sorry, it’s not your email. It’s usually part of your email the first part of your email username PIN code, account security question and answers, and or the services customers received from Cox. While Cox does not state financial or password financial information when passwords were accessed, they are advising effective customers to monitor their financial accounts. And to change passwords on other accounts using the same one as the Cox customer comm. Cox is offering effective customers a free one-year experience identity works. I’m assuming that’s Identity Protection identity works that can be used to monitor credit reports and detect signs of fraudulent activity. And a statement to Bleeping Computer. Cox said that they have reported the incident to law enforcement and that it only affected a small number of customers. Although it does not say how many. When we asked further questions regarding the number of affected customers and how the breach took place, we did not receive a response. So Bleeping Computer did not get a response. So here’s what you should do if you are a Cox customer as I am a Cox customer. But I did not receive this breach notification letter. So I would assume that means my account was not identified as one being breached. But even if it wasn’t, I would take these precautions, or even if you didn’t receive the letter, immediately change the password and account security questions answers on your Cox account, you could do that on Cox.net. Be on the lookout for phishing emails pretending to be from Cox that is designed to steal your login credentials. That’s pretty easy because I ignore all of their emails and enable two-factor authentication for your Cox account to make it harder for threat actors to log into your account. Now, two-factor authentication or multi-factor authentication should be turned on every single account you have in I have one account that for some reason does not have this option available to it. And it drives me crazy at this point. But what also drives me crazy as the number of people that tell me, I’m not going to turn it on, because it’s just more work and extra work. And it’s too much work. And I hear this from people in business. And so that’s scary to me, because some of the people that I’ve heard from her in the financial world, or the legal world, they don’t want to turn it on because it’s extra work. Yeah, it sucks having to go to my phone and look up the pin every time I need to log into something. But the alternative is far worse. Again, I believe the way in, having spent nine years in the cable industry, I believe the way in would be pretending you are a rep on the other line and possibly can convincing whoever you’re talking to that you are a rep and you have some account information and somehow gaining access to those tools through whoever you talk to you trick them into giving you access and I’ve seen similar things for the cable company I worked for at least attempts. I don’t know if it ever worked. The other alternative is, of course, cable companies have internal support you have they have a knock and they have deaf side support, and so forth. They could be pretending to be you know, Deaf side sports saying you know we need to access your computer and then they fumble around with the tools once they have access to your computer, both very common scams. But if you’re working in the cable industry, you’re taking a number of calls every day, you’re, you know, some days a very stressful, call center Life is stressful. If you’ve never worked in a call center, I wouldn’t recommend it. It’s a very stressful job.

10:23
And sometimes things get through because you’re stressed out, you know, we had procedures in place for things like if somebody claims to be law, authority, law, law enforcement calling with a customer situation, they were supposed to call a specific number they weren’t, you know, in the call center, they weren’t supposed to divulge any information they had to call a specific number to, to get that information. There were things in place for that. However, I have been out of the cable industry now for seven, almost seven years. And it’s a safe bet that things the amount of phishing attacks and social engineering attacks has increased. And the sophistication of those attacks has probably gotten better. Meaning the attackers are smarter now than they were. They’re savvier now than they were seven years ago when I left. So I could be wrong. You know, we know we have the Twitter, the Twitter attacked from sometime in 2021, I believe it was, were they the was a teenager of I think a few teenagers but one got arrested in Florida that gained access to internal Twitter tools, I was able to do things to Twitter accounts. And I don’t know if they ever disclosed how that kid got in. But he got in through social engineering. A lot of these things happen through social engineering and will take some time, if you go to the website, we’ll define what social engineering is. But essentially, it’s kind of like what it sounds like you’re engineering a person by using social skills to kind of manipulate it is manipulation, most of the time, someone into doing something they wouldn’t normally do, like giving access to internal tools. So they gain access to the tools, they look up some accounts, I could tell you the tools, at least before I left that were there, they’re not, it’s not the kind of tool you’re going to learn instantly. It takes time. In fact, it takes I think it was the training was six or seven weeks at a time to learn all of the internal systems and how to support the customers. So that was that is why I believe this is probably somebody who worked in the cable industry at some point, probably more recently than not, it does have a high turnover, the cable industry, the call centers have a high turnover. So it is possible that they worked, learn the systems, and then thought well, I can social engineering my way in and do some damage. It’s also possible that they are still an employee and know exactly what to do. And we’re just trying to, you know, the accounts they wanted, maybe there were specific accounts they were trying to get to the well, I don’t know the reason behind it. Cox was not forthcoming with that, that information, apparently, those details. But this is this goes to show you if you’re working at a job and your company, and I could tell you the cable industry, the cable companies, they’re so busy, and probably more so now than ever. People working from home and the amount of devices you know, in my own house, there’s probably 1520 devices connected at any time. And I don’t think I would think that’s probably average, I would say maybe at least 10 devices, and most houses are connected. You have smart TVs, you have iPads, and phones and computers and all kinds of stuff connected. You know, AI, smart home devices, all those smart speakers, all of these things connected at any time. So more calls than ever coming into the cable companies. And the reps may be overwhelmed. And if there’s not a culture, a workplace culture, and when I left there definitely wasn’t a workplace culture of teaching your employees. This is what you need to be on the lookout for. Yes, they had a big training program. There was not a lot of focus on this type of thing. In fact, the 911 call that I would get, you know, I knew there was a specific number they’re supposed to call when they called in law enforcement. That was not common knowledge of the 800 Plus reps in the call center I was in most of the reps if you ask them wouldn’t know that information. So, in fact, it would probably reach out to someone, a leader or supervisor to get help. They’re overworked, they’re stressed. And probably overwhelmed at times, especially if there’s an outage or something along those lines,

15:22
it’s probably not hard to trick them. And if you don’t have a workplace culture encouraging, knowing what to be on the lookout for, for social engineering skills, that’s how they’re going to get in. So workplace culture is one of the things that’s going to help come combat social engineering and phishing attacks that are getting gaining active helping people gain access to internal tools, internal systems, and most importantly, data, client data, phone numbers, account numbers, possibly didn’t say passwords or financial information, but they also didn’t rule it out. And if they’re encouraging you to, you know, if they’re saying we’re going to give you one year of credit monitoring, then there’s a safe bet that they at least suspect that financial information may have been disclosed. Now, I could tell you, credit card information was not viewable on an account. But you could, of course, set up automatic payments. And so depending on what systems they had access to, they may have gotten credit card information if it was stored improperly. on the customer side of it, change your passwords, you should have a complex password, and it shouldn’t be reused passwords should not be used on any other website. And it should not be something you’ve used in the past. Be on the lookout for phishing emails should always be on the lookout for phishing emails, the type of email that Cox provides, it’s easier for phishing email to get through if you’re using Microsoft or Google email still gets through but not as easily. And also enable two-factor authentication again, should be on by default should never not be on wherever possible. And most websites now most applications now have two-factor authentication available. Except for that one, I’m not gonna say who it is. But that one company in it drives me crazy that they don’t have that option. That’s how you protect yourself as a customer. As an employee, you don’t if you’re not motivated to do it yourself, you’re unmotivated. And I can tell you from my experience, the vast majority of employees in a call center that not necessarily cable but in a call center, in general, are unmotivated, they’re there to collect a paycheck, they don’t want to be there. It’s not the greatest job in the world, it’s very stressful at times. Customers berate you all the time. It’s a, it’s a tough job. If you don’t believe me, then go apply for one, it’s a tough job. You know, you, you have to create that culture within, not the employees, the supervisors, the managers, and all the way up to the to the C level executives, they need to create the culture, to encourage employees to know what to look for. And they also need to educate the employees to know what to look for. This wouldn’t happen, or less likely to happen if that culture is in place if the stress levels weren’t so high. So I opened the podcast by saying you know, the intro, which will be the intro, at least for now on motivated and lack of education on these things. And I can promise you in the cable industry, that’s exactly what it is. Most likely there was somebody online, calling into the call queue the 800 number for Cox pretending to be another employee or pretending to be Deskside Support or internal tech support within Cox cable. And that’s how they gain access to these tools. It’s really not hard. It’s really not hard to accomplish this. So, cable companies should be on the lookout. Start training your employees and start motivating them to be on the lookout. That’s gonna do it for this episode of the human element Podcast Episode One all done. We will be back every week with a new episode and some education and hopefully, you will be better protected against the bad guys