Redbanc is a Chilean company who provides transaction processing services to the main banks in that country, fulfilling an extremely important role in the economic sector.
During the last few months, it was revealed that a company’s IT worker was victim of a social engineering attack, when he received a job proposal through the social network LinkedIn.
This information reached senator Felipe Harbor, who has asked for an official communication to the company through Twitter.
“I am informed that by the end of December @redbanc suffered an informatic attack on its banking interconnection network. It would be good for the company to show the magnitude, risks and control measures of such attack. “- Felipe Harboe (@felipeharboe) January 8, 2019
The attackers pretended to be recruiters who were looking for people to perform as developers. Once the victim contacted them, they agreed to a video call via Skype. During the meeting, the attackers sent him a file called ‘ApplicationPDF.exe’, which the victim had to complete to finish the application. This occurred within the corporate network.
If it wasn’t for the security systems implemented by the company, the attackers could have accessed the internal network and harm the business in multiple ways. Theft of customer information (PII), theft of credit card information (PCI), denial of service, deterioration of the corporate image, could be some consequences that would have happened if this attack was carried out successfully.
How is it possible for IT employees themselves to fall into this trap?
Cybercriminals use a form of social engineering known as phishing, that, in this case, involves creating scams through social networks, which are difficult for anyone to detect. This type of attacks does not require great technical knowledge (a penetration test is not carried out, at least in the first stage).
Even if the employee works in the IT area, he has the same needs and weaknesses as any other person (aspirations, acting with confidence, etc.). A climate of security awareness at a corporate level is required to reduce the probability of incidence facing this threat.