Sales Call or Social Engineering?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Sales Call or Social Engineering?

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    889

    Sales Call or Social Engineering?

    We all hear about social Engineering and as a Admin I get my share of sales calls, most are screened and dumped to the voice mail and no message is left the few that do get through have what I consider some rather social engineered questions. Here is my own true story about a year old I want to share.

    I run an active firewall with a nice GUI interface where I can see color coded lines of all network traffic out going and from the outside arriving in. I sat one morning and all of the sudden noticed my red alert lines from a company attempting to access a port scan first from view the log and then very speciific known exploits, when all of the sudden the reception desk rings me and says so and so from the very company I was watching at the firewall calling me. So rather then have it dumped to my voice mail I took the call, cause I just wanted to see what all of this was about. Mind you very nice sounding woman on the other end and from memory here is what was said.

    Caller: Hello Mr. (myname) I understand you are the contact person for your Networking needs. We provide IT consulting services to company's such as yours. May I ask if you run a firewall?

    Me: Yes we do. (I want to play a game now).

    Caller: What firewall software and hardware do you use?

    Me: I do not answer questions about our network to people that call me. (Firewall activity from said company is still pecking away at the ports)

    Caller: Ok let me ask you this how many servers and workstations do you have and what OS are you using?

    Me: I'm sorry but like I said I do not answer these questions unless I am calling someone.

    Caller: Please sir I am doing my job and I have to account for who I contact and the answers I have a blank call sheet. Can't you at least tell me how many servers you have.

    Me: I'm sorry (her name) I do not like the direction of this conversation and you are providing me with just your company name. Thank You and I hung up.

    My only questions are were:
    1. Was this a penetration test by a potiential IT consultant to sell their services?
    2. I did not ask for such testing, and had I provided any answers would they have broken something so they could fix it?
    3. Any sales call should not have to depend upon my answer facts about my network.

    My conclusion from this as it was a large IT company is that perhaps their system was not secure the sales call bogus and bogus users wanted to gain access to my network. Or maybe it was just the company with an incorrect sales pitch. What do you think?
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  2. #2
    "IT consulting service" Haha.. It was an attempt to discover data about your company's netwerk. Plain as day. If it were just a sales call, they would be promoting their product and trying to convince you to purchase something instead of disclose information.

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    250
    Well if you didn't ask for that ask if anyone working there did. I wouldn't take answers until you get some specific information. Yeah, this is really common though. Don't trust them until you have full proof. But I think its a load of BS, this is daily life in a company/network. Just incase take your crowbar....hehe :P

    Thanks for your time~
    [gloworange]Die, or surrender, either way won\'t work.[/gloworange]
    [shadow]HuntX7[/shadow]

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    I don't think it was a sales call, it was pure social engineering. Why would she suddenly call you right after the
    failed attempt to scan your network? No reputable company that offers security consulting AFAIK do that.

    Security is about trust. If you don't trust the company, don't give them a chance to sell you anything. I support
    your decision not to answer her questions.

    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    i would have fed them faulty information and looked to see if known exploits against 'said' devices were subsequently picked up by the firewall.
    -droby10

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    dropy10 am a real busy person at work what point would there be to doing that? I had enough info already to make my choice how much pecking at the firewall should I log? Not out to prove them wrong they were clearly and any sales call of this nature should not be these questions even if their are Not Any hits on the firewall And now one in any company should give out such info least not to a sales person. (greenies are welcome I'm faulted on grammer and spelling)...just a brain damaged crash test dummy
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  7. #7
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    dropy10 am a real busy person at work what point would there be to doing that?
    depending on the capability of the attacker you might learn a thing or two that could ultimately protect you from the next wave of advisories. while i agree that no legitimate company should act in such a manner. i've seen first hand where pocketed exploits are developed and used on-site in consumer audits as poc, later used as fool-proof means of entry
    for big bucks, and finally disclosed some 3 or 4 months later for publicity. it's a proven method - and capturing the information on the wire might just give you the signature you need to prevent being exposed to attacks when they take the exploit(s) out of their pocket and lay them on the table for everyone else to see. just my 2 cents on reverse information.
    -droby10

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    150
    I always feel a bit nervous about answering those questions from people who call me conducting a "survey of IT managers."

    I try to be as bogus as possible, but I'm half afraid of them calling M$ and them coming out and auditing me based upon my fake answers.

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Sorta Related

    This is kinda related so I thought I would share it here. The following is an e-mail that was received at my company yesterday from a "Security Vendor".

    Subject: Your Apache Web Server is NOT Safe!

    Dear Client:

    While browsing your web site, I noticed that you are running Apache
    version 1.3.20. A major vulnerability has been discovered in the
    Apache web server software. It's been all over the news the past few
    days, including CNN. Worms exploiting this issue have been
    discovered. Your server requires immediate attention to avoid the
    problems Microsoft IIS shops faced with the Nimda and Code Red worms.

    I am writing to you today to help protect your network investment.
    I'd like to tell you about XXXXXXXX, which detects these security
    vulnerabilities. Licensed XXXXXXX customers receive automatic product
    updates as soon as vulnerabilities go public. Combined with its
    flexible scheduling and alerting features, it allows our customers to
    stay on top of their networks. To learn how XXXXXXXX can keep you ahead
    of the hackers, download an evaluation copy:

    http://www.XXXXXXXX.com/Product-Download.html

    For more information on this vulnerability, as well
    as links to download the latest Apache software, please see the CERT
    advisory noted below:

    http://www.cert.org/advisories/CA-2002-17.html

    To determine if any attempts have been made to hack your web site, check
    the Apache server's error log. The message should be similar to the
    following:

    [Mon Jun 17 17:12:18 2002] [notice] child pid 26140 exit signal
    Segmentation fault (11)

    For more immediate attention, please give me or one of my colleagues a
    call at one of the numbers below.

    North America: XXXXXXXXXXXXXX
    Europe: XXXXXXXXXXXX
    E-mail: sales@XXXXXXX.com
    support@XXXXXXX.com

    Regards,
    Mr. Sales Guy

    Now, my problem here is:
    1) We are not now nor have we ever been a 'Client' of this vendor, so I have to assume this clown is scanning the net (likely with some kind of Bot) looking for Web Site's running Apache.

    2) After finding out we have an Apache Web Server, this clown looks for a e-mail address to send his 'sales-pitch' to. Of course, the one he sends it to, is a person (fairly high up in the company) which knows nothing about what this clown is talking about but assumes the sky is falling and contacts me.

    3) Now, we are running an Apache Web server but we are running it on a Solaris OS (not Windows) and, while the vulnerability exist, the exploits in the wild are targeted at Windows.

    And finally and most important, we already patched our system, but this clown assumes that he knows more about our systems that we do.

    In short, this is just down right rude and I made sure that Mr. Sales Guy knew I was less than pleased with his company's marketing tactics.

    Cheers:
    DjM

  10. #10

    Re: Sales Call or Social Engineering?

    Originally posted here by Palemoon
    We all hear about social Engineering and as a Admin I get my share of sales calls, most are screened and dumped to the voice mail and no message is left the few that do get through have what I consider some rather social engineered questions. Here is my own true story about a year old I want to share.

    I run an active firewall with a nice GUI interface where I can see color coded lines of all network traffic out going and from the outside arriving in. I sat one morning and all of the sudden noticed my red alert lines from a company attempting to access a port scan first from view the log and then very speciific known exploits, when all of the sudden the reception desk rings me and says so and so from the very company I was watching at the firewall calling me. So rather then have it dumped to my voice mail I took the call, cause I just wanted to see what all of this was about. Mind you very nice sounding woman on the other end and from memory here is what was said.

    Caller: Hello Mr. (myname) I understand you are the contact person for your Networking needs. We provide IT consulting services to company's such as yours. May I ask if you run a firewall?

    Me: Yes we do. (I want to play a game now).

    Caller: What firewall software and hardware do you use?

    Me: I do not answer questions about our network to people that call me. (Firewall activity from said company is still pecking away at the ports)

    Caller: Ok let me ask you this how many servers and workstations do you have and what OS are you using?

    Me: I'm sorry but like I said I do not answer these questions unless I am calling someone.

    Caller: Please sir I am doing my job and I have to account for who I contact and the answers I have a blank call sheet. Can't you at least tell me how many servers you have.

    Me: I'm sorry (her name) I do not like the direction of this conversation and you are providing me with just your company name. Thank You and I hung up.

    My only questions are were:
    1. Was this a penetration test by a potiential IT consultant to sell their services?
    2. I did not ask for such testing, and had I provided any answers would they have broken something so they could fix it?
    3. Any sales call should not have to depend upon my answer facts about my network.

    My conclusion from this as it was a large IT company is that perhaps their system was not secure the sales call bogus and bogus users wanted to gain access to my network. Or maybe it was just the company with an incorrect sales pitch. What do you think?
    Definate Social Engineer, you did the right thing. Screw the idiot caller

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •