How Not to Scam the IT Guy

scamIT

Introduction

My name is Min Mg Mg, I’m studying cyber security. I’m studying by “googling” and the main source of my studying is Hacker Highschool (www.hackerhighschool.org). They are a non-profit organization that helps teens learn hacking as a method to figure out how things work, and to keep from getting scammed online. And for people like us, who can’t afford to pay much to learn technologies, we can learn free lessons there. Video trainings will be available soon and they are even starting ISECOM academy. Let me mention their motto of them and definition for hacking: Their motto is “Hack everything but harm none,” and their definition: “hacking is a method of problem-solving and learning.” And very soon, I’m going to study at the new org that’s being built by HHS’s project manager, called School for Hackers (www.schoolforhackers.org) where tutorials and videos are being developed as well.

One security vulnerability all organizations face is that they have to rely on IT consultants. They can gouge you, or give you a great deal, and it’s hard to know which. In this case, doing some investigation proved the consultant was ripping us off. Instead of a sneaky and exorbitant profit, he got nothing, and our company learned a valuable lesson.

Let’s get our hands dirty

The investigator was good but his eyes popped when he heard the price quote for “what, for point to point wireless installation only costs about US$3000?” he asked. Then, “what’s the distance, what are the devices they used and is there some blockage between the points?”

“The distance is 5.6 km by car, but it is only about 4 km as the crow flies. I don’t know the devices used exactly” someone answered. Our investigator decided to get his hands dirty based on experience with his previous company. He made an immediate call to the secretary of the ABC company. (Obviously the names are changed.) She’s already a friend, which makes her a pore, or a place where a trust is being given. Because she trusts our investigator, she’s not trustworthy to her employer when he uses social engineering.

Conversations

Investigator: Hello, Ms. Secretary, it has been so long. And is everyone good?

Secretary: Of course, everyone is doing well. And you and what are you doing there?

Investigator: I’m well too, and now I’m getting busy to find some providers to set up a point to point wireless connection but the lines are busy and I can’t get this done. And my boss is breathing down my neck. I’ve heard that at your company the wireless connection was installed recently. Could you help me with some information on this? I need to get my boss some kind of numbers or I’m in trouble.

Secretary: Of course, I could give you a hand but don’t quote me. I’ll send you an email with the price list our IT Manager applied for approval.

Investigator: Oh thank goodness!

Very soon after the conversation, the price list and the device information were sent from secretary@abc.com, and the investigator looked at them and seemed puzzled. “Umm, all of these devices are for point to point connection?” And the letter head seemed sketchy, less than professional.

Y Company
Att: IT Manager (ABC Company)
Subject: point to point wireless installation cost

# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 850 850
Cisco Air 20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 350 350
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 650 650
4 TC-Carrier TOUGH Cable, Level 2 1 100 100
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$ 2950

“This lesser looks like a bad photocopy after someone modified the contents. And, the number one AM-5G20-90 at the top of the list is surely a Ubiquiti model but what actually is a Cisco Air ? And why is this size TC-Carrier being used? That’s so interesting.” And he decided to call the supplier company and try to know something real.

Investigation followed by social engineering

Investigator: Hello, is this Y Company?

Y Company: Yes, May I help you?

Investigator: I’m the consultant at the IT section of the ABC Company. Recently our company purchased a wireless service from your company. Now, I have to ask a favor, could you email me a copy of the receipt for the point to point service? Send it to our manager’s mail and I’ll bring it up at our budget meeting with the director. I just asked the favor because our IT Manager is travelling and we couldn’t contact him yet. Would that be ok?

Y Company: We’ll contact you back after the confirmation with our sales manager, sir.

Investigator:Iif I may, I’ll hang on the line because all including our director is waiting in the meeting room and I’m getting to a dead end. Or, just tell me the total amount of the cost, please?

Y Company: Hang on a moment, I’ll inform him and put you through.

Sales Manager at Y Company: We can help you with this, sir. The total amount of the cost was US$1601. But I’ll only send the softcopy of it to the address of your management’s email.

Investigator: You are so kind, our management’s email address is secretary@abc.com and it goes directly to director office.

While investigator was sitting at his computer with a cup of coffee, the secretary of ABC Company gave a ring. And “I’m calling you because now I just have received an email from the Y Company. They sent it to us but the subject says your name: per Mr. Investigator’s request,” she said.

“Yes, I asked them to send it to the secretary of ABC Company. That’s the real receipt of the real cost from Y Company so that you can confirm the price,” Investigator said.

The real weakness of the Mr. Scammer was: his deception required victims who were less technologically aware than he was..

So, let’s take a look at the real price list of the Y Company:

Y Company
Att: IT Manager (abc company)
Subject: point to point wireless installation cost
# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 164 164
20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 98 98
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 297 297
4 TC-Carrier TOUGH Cable, Level 2 70 M 0.6 42
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$1601

We will close a curtain on the scene that followed.

We all have been scammed in areas we don’t understand, both with and without our knowledge. But there will be someone who can help us, frequently we think. Sometime, even the very one who is trustworthy to us might scam us. Let’s assume ourselves as the closest enemy of our own according to the one of the speeches of General Aung San; “get rid of the closest enemy, the first question we should ask ourselves is ‘Is it possible?’ And firstly we have better get rid of credulousness. And think about an insider. In this case, even if he’s a company’s IT staff why he was too bold to scam that amount? Does our management team need to be educated in technology related issues, or were some of them partners of the Mr. Scammer?

A company that’s using a lot of technology is like a house with many windows and entrances. Securing only some of the windows and doors doesn’t secure the house. That’s why we deeply need to engage an ethical hacker, and design tight computer and network security policies. Social Engineering can be called psychological manipulation, in short, a legitimate lie, but yelling “Fire!” in a crowded movie theater is unlawful. The issues here are not simple, and some experience and training is mandatory. That means we need to bring up more young security professionals, which is exactly what we are working to do at Hacker Highschool and School for Hackers.

Written By

Htet Aung @ Starry Sky
Translator at Hacker Highschool
Security Professional and IT Officer