Scams are getting bolder and more intelligent all the time. Recent the BBC broke a story about a new scareware malware which exploits people looking for pornography. The malware which masquerades as a pornographic game once downloaded and run takes screenshots of the victim’s internet browser history and uploads it to a central page. The victim would then be informed they got caught breaking copyright law and asked to pay a fine to get it removed or else this would lead to a lawsuit.

If such an event were to occur in the workplace I am pretty sure the victim wouldn’t think twice about paying, believing that if he doesn’t this will surely lead to his dismissal once the situation escalates into a lawsuit. Granted that if an employee is browsing pornography in his workplace he might deserve that; however, scams tend to evolve and it’ll only be a matter of time before we start to see variations on this theme.

I also think that the monetary damage caused to employees is not the only danger which a company might face. One must consider that these scammers are trying to make the victim believe that they are in contact with a lawyer. The scam preys on the fact that the victim has done something bad and potentially illegal and that lawyers have gotten wind of it and are thus trying to punish him. Additionally listening to the news makes it known that generally ignoring lawyers when they are threatening you will far from make the problem go away.  Thus one can be sure the victim will make contact with the attacker. What we would have at this stage is a dangerous connection that can lead to an even more dangerous social engineering attack.

What’s a social engineering attack?

If an employee did something bad and believes he broke the law and got caught, then he will also be afraid that if his employers were to know about it he would lose his job. On the other hand if he believes that he is in contact with lawyers who are willing to make the problem go away, then there is no threat about him getting dismissed from work. And this is what makes the perfect recipe for a successful social engineering attack. The victim will do anything to keep the lawyers (attacker in disguise) happy. He will try to accommodate all their requests to prevent this from escalating as he believes that if he fails to reach a settlement then a lawsuit against his workplace will be what comes next.

The final question is: What can an attacker have the victim reveal? That’s hard to tell as it often depends on the particular situation; however, let’s assume that this all started because of copyright infringement (maybe the victim was looking for music, or software).

The victim could be persuaded to hand over the license keys that the company uses for all its software as ‘proof’ that this was a single, isolated case. Taking it a step further, the attacker might ask for login credentials in order to do an “audit” and confirm that the company is not using other unauthorized software.  A daring attacker might even ask for source code, blueprints, designs and other such things under the false premise that the attacker (i.e. who the victim thinks is actually a lawyer) just wants to ensure that no patents from the clients he is representing are being infringed.  Employees will generally not fall for such attacks, however, in a situation such as this it is very likely that an employee will comply believing that what he is doing is safe (in his eyes its lawyers running a routine audit) and will also help avoid him getting fired.

How can a business protect against such a situation?

There aren’t too many options against this kind of attack.  Making employees aware of these kinds of attacks can offer some protection; however, if an employee is not concerned with company policies then it’s not very likely that he’ll be willing to risk his job by reporting the incident (since this likely resulted from him breaking company policy in the first place).

My belief is that in such a situation the only effective option would be monitoring.  There are various monitoring techniques that apply to this scenario. Internet monitoring and possibly running a virus scanner on anything downloaded in the workplace might help protect employees and prevent them from becoming victims. Monitoring logs and outbound file transfers can detect when such an attack is in progress and hopefully be stopped before too much damage is done. Finally, monitoring user activity, while it might have a negative impact on employee morale, could actually prevent these kind of scams from escalating, thus safeguarding the employee’s job.