[conspire] Fraudulent e-mail addresses (was: ...Straffic data breach)

Fri Feb 28 04:25:38 PST 2020

On 27Feb2020 08:49pm (-0800), Rick Moen wrote:
> Quoting Paul Zander (paulz at ieee.org):
> > Meanwhile, at my house the my wife answered a phone call reportedly
> > from my bank asking about some transaction.  She gave me a note with
> > the bank's phone number.I set the note aside and looked up the bank's
> > phone number.  
[...]
> Ask if this is a Security Dept. inquiry about the transaction.  If the
> distant party says 'Yes', then say 'Fine, I'm going to telephone my bank's
> Security Department, so I'm confident I'm talking to who I wish to talk to.'

I have been listening to the Darknet Diaries podcast lately, and while I'm a little sceptical of some of the stories (particularly the ones granted access to NSA or military sources), the most interesting ones of late have been from "Red Team" stories.

These are folks you hire to test your defences, both purely digital ("Can we tighten our Internet-facing security?") and physical ("Can we tighten our street-facing security?").  The first step is a painstakingly negotiated contract detailing the work to be attempted, acceptable targets, acceptable method categories, conditions for success, etc.

Then you get a sealed letter for the people actually performing the testing to carry.  It has the names, contact details, and signatures of the authorities that approved the tests (Usually a CIO, CEO, and board member team or something).

Occasionally in the stories, they have to whip this letter out as a "get-out-of-jail-free card", when their actions are uncovered and authorities are called.  But sometimes the letter itself is taken without sufficient scepticism.  Sometimes they're released just on sight of it.

But what I've noticed is that there is no description of how people verify it when that comes into the tale.  Sometimes it sounds like they just *call the numbers on the letter* and shrug when someone on the other end of the line says "yes, we authorised them".  

I trained my child to answer any requests by phone for personal information with the phrase "But YOU called ME!"  This is something I do with bank fraud department calls with an incredulous tone.  "What sort of Fraud department would think this isn't suspicious?  I'm hanging up now and calling my bank's ACTUAL Fraud department now."