I was recently engaged to do a penetration test on an RIA. The primary goal was to detect and identify sensitive or leaked information from the company, as well as see whether an external attacker could gain access to portfolio management software (PMS). I also wanted to perform a human risk assessment before we enrolled them in our training program.
With access to the PMS, I could alter transactions and cashiering to reroute client funds into accounts that I control.
When conducting OSINT research on this firm, I discovered and gathered several usernames and passwords that its employees used to log into their custodian. Due to a misconfigured Office365 setting and a careless CCO who did not verify the “sharing” permissions on this document or user, the username and password I collected was accidentally made public and searchable by anyone that knows how to Google Dork (Yes, Google-Dorking is a real thing. Google it)
This isn’t remarkable and improperly configured sensitive papers are one of the first things I check for in these sorts of assaults.
I chose “Sharon” as my target because she had identified herself on LinkedIn as the firm’s “portfolio assistant,” and she was very active on several social media sites. Aside from that, she was a completely random choice of a target.
I discovered that the firm’s PMS required two-factor authentication (2FA) for all users from research, so I knew her credentials were also linked to a rolling 2FA code that I needed to access through the PMS.
By phishing Sharon, it took less than a day for me to get access to the firm’s PMS. Here is how Sharon was taken down in a nutshell. To protect the guilty, the company and employees’ names have been altered or blacked out in this narrative.
Phone Call # 1:
I dialed Sharon as “Dave” who is interested in opening a new account.
(Shortened for Readability)
Dave – Hi Sharon – I am interested in opening an account with you folks. If I do, where do you keep my money.
Sharon – We use [REDACTED CUSTODIAN NAME] as the custodian for our accounts.
Dave – Ah! [REDACTED CUSTODIAN NAME]! I already have an account with them, so great. My current advisor uses them, so will it be an easy transition if I move my accounts? Since the accounts are already there, how do I switch them over to be managed by your firm?
Sharon – It is pretty easy. I will send you some paperwork to fill out and then I will fax those up to [REDACTED CUSTODIAN NAME].
Dave – Excellent! And in the mean time I can email you my PDF statement so that you can get the ball rolling with onboarding?
Note: In the example above, I’m setting Sharon up to receive a PDF containing key-logging malware. At this stage, I’m still unsure how I’ll get access into the system, so I’m planting this seed.
Sharon – Sounds great. My email address is [***@***.com)
Dave – Great. I will send that over soon.
And, to be honest, I’m not entirely sure what I’m going to do in the long run. So I get on the phone with another advisor who is not connected to the firm but who does use the same custodian.
Call #2 –
I called a different RIA that uses the same custodian.
A young woman named Allison picked up the phone. According to her LinkedIn profile, Allison was a recent graduate working as a trade desk assistant, and she was 28 years old. She had dropped out of film school and frequently posted her opinions about movies on several social media sites.
Dave – Hi Allison you might not be the right person and I am sorry for the distraction, but I am hoping you can help me out for 5 minutes. I found you on LinkedIn and saw you went to film school which is why I am reaching out. I am a movie director and I am working on a film and I am needing someone to interview for some background. The film involves an investment firm that experiences a cyber attack and loses the client’s money. I need someone’s expertise to make sure my movie fits the real-life scenario since I know little about cybersecurity. I know you are very busy, but would you perhaps have a few minutes to answer some simple questions for my project?
Allison– Sure, I would love to help. What kinds of questions do you have?
I start in with my BS questioning….
Dave – Well, I know what it means to balance a portfolio. That means sometimes you have to sell some holdings and buy others to make the portfolio balance. I get that. But what I don’t understand is HOW you make the trades in those portfolios.
Allison– Well…it’s really not that complicated….
(Allison goes on for 15 minutes telling me everything I need to know about how she uses [REDACTED CUSTODIAN]’s PMS)
Allison was awesome. She conveyed every detail of how they access their portfolios, how they access the systems, how they make new accounts, how they get reports printed, how they protect the information with 2fa encryption methods in depth
Call #3 –
I called Sharon once more. This time as Chris Johnson, a customer service rep from [REDACTED CUSTODIAN]. I asked Sharon if she had a few minutes for a customer satisfaction survey in exchange for a gift certificate to her favorite restaurant, Chick-Fil-A (according to Facebook).
Chris – Hi Sharon – This is Chris Johnson with [REDACTED]. I am conducting a customer satisfaction survey and wanted to see if you had 4 minutes to answer some questions about your satisfaction with our service. We are sending all respondents a coupon for a free lunch at Chick-fil-A. Would it be OK if I ask you a few questions?
Sharon – Sure thing.
[Sharon was enthusiastic to help…and sounded excited for the break in her routine]
Chris – First off, are you authorized to use the [REDACTED] PMS system?
Sharon – Yes.
Chris – Great!
-Okay, what hours are you guys in the office?
-How many employees dial into Fidelity? -How often to do call us?
-Is there anyone in particular you like to talk to?
-Did we ever fail to meet your expectations? -How is our response time to your issues?
-Do you have any suggestions on how we can improve?
[Sharon answers them all and is very pleasant and happy throughout]
Chris: Thanks, Sharon. I really appreciate your help and your time. Let me save your answers in my survey and get that gift certificate over to you in an email. One second, please…
Chris – (Pausing….) Hmm…that is interesting. Are you sure you are an authorized employee on the PMS system? I don’t see your name here.
(I asked this in a puzzled or questioning tone since victims are always eager to clarify or demonstrate their rightness when called into question. They become blind when you ask them to validate themselves.)
Sharon– Yes, I am authorized on all accounts.
Chris – OK, that is strange because I don’t see your name listed on the account.
Sharon(acting somewhat insulted and annoyed)– Well, there is something wrong there because I have been here for 7 years and call the [REDACTED CUSTODIAN] team every day; usually for several hours each day.
Chris – There is no doubt from me Sharon. This is a frequent problem and one of the side-reasons for my call, actually. I want to make sure we have the most accurate records so let me research and get that updated for you. Give me one second to get you added here. I am going to go and pull the actual physical paperwork from our archive and then get you added back in. I am so sorry for the inconvenience here.
Sharon – {laughs and sighs}
[I allow 45 seconds of no talking with lots of typing in the background. I have an extra loud mechanic keyboard (hat-tip Shinobi Keyboards) that I use for this work to make sure the victim can hear. The overall goal here is to have Sharon swing from an agreeable state of mind, to a confrontational mindset, and back to a passive mindset. Essentially, I want to wear her out mentally so that her guards go down on this call.]
Dave – OK,I see your authorization paperwork right here. Sharon Smith. I found it. No problem. Let me get you added to the official record again. I’m not sure how it was removed because I see where you were authorized previously. Honestly, It may have been a mistake I made when I pulled your record up so I am sorry for that. They call me “Fat finger” around here with the way I accidentally delete records so thanks for your patience on this.
[20 second pause]
Dave – OK, all set. Let me get your 2FA code set back up and authenticated . Can you please read me the current 6 digits from your 2FA device so that I can get that added back in and synced with the system?
Sharon reads the 2FA code.
Chris – Sharon?
Sharon – Yes?
Dave – This is Brian @ MTradecraft. We met a few weeks ago in your office.
After a lengthy pause, there was another lengthy exhalation of despair and concern, and she understood how serious the problem was.
With that, the pentest was finished, and I had full control of the company’s $789 million portfolio in less than a day. Having the 2FA code enabled me to access the PMS system and take a screenshot as proof of my presence. Sharon was furious. She had just destroyed her career and her employer if this was the real world.
Without proper cybersecurity threat training, this type of mistake happens frequently.
Background and Lessons here:
MTradecraft was hired to perform this penetration test. We agreed upon a month for the test, but not on any specific dates. Sharon was the first person who reached out to MTradecraft to schedule an introductory call for this penetration test. Sharon had also listened in during the initial meeting and knew that MTradecraft would be performing phishing tests.
Despite Sharon’s meticulous preparation and understanding, it was still quite simple to obtain those 2FA codes and steal the client’s money. She claims that she overlooked that this sort of assault would continue, and she never imagined anything on the phone.
Two things ultimately lead to this epic and devastating compromise:
- The CCO had previously made a blunder by inadvertently publicizing critical information via the Share tools available in Office 365. This led to Sharon’s login and password being discovered after employing a variety of intelligence gathering techniques known as “Google Dorks”.
- Sharon neglected to use basic cyber security precautions that should be covered in the company’s cybersecurity education course. Sharon sh 2FA code to anybody, even though this is clearly stated in the policy. This principle cannot be broken.