In an earlier post about how hackers attack the hotel back office, we mentioned several ways that cybercriminals breach the network, servers, and applications. In this post, we discuss one of the most sophisticated methods currently used by cyber-criminals to steal information: Social Engineering.
Using the following approach, our preferred penetration testing partner, Netragard, describes in detail how they were able to compromise their customer’s network using a combination of social engineering, cross-system privilege escalation, VPN cracking and exporting data from the Credit Card Data Environment (CDE).
In a nutshell, the attack progressed like this:
- The external network safeguards were tested and found to be secure to the industry standard; properly configured modern switches and patched systems and firewall. This made initial penetration difficult and forced a more sophisticated approach
- Reconnaissance on LinkedIn showed a job posting for a senior security engineering position
- Through messaging on LinkedIn, permission was given to send a resume to HR
- HR received the resume, infected with a custom malware script that opened all permissions to the HR desktop
- HR sent the resume to the IT Manager for review, infecting the IT Desktop
- Netragard escalated privileges and found the CDE, but needed to infiltrate through the VPN to access data,
- After accessing the CDE, they found there were no data export restrictions, and they were able to send the credit card data anywhere on the Internet.
Our thanks to Netragard for the use of this material.
About the Author: Davis Blair is currently the co-founder of Hotel Defenders, a firm offering back office streamlining, security and monitoring services to the hospitality industry. Davis has been in the Information Technology Industry for over 20 years, with VP-level experience in Information Services (IDC -VP/GM Asia/Pacific, Gartner Group – Group VP), Systems Integration Marketing (Neoris – CMO) and Managed Network Services (Blueprintrf – Consultant). He is a veteran of the Army Security Agency (332 ASA Operations Forward Korea).