Let's face it, we’ve all been targeted by scams at some point these days. It happens so often, that I am able to spot it pretty quickly. But this time, I was almost fleeced.
Let me set the stage before I share my story here. I am an IT consultant/architect and have been in this field for over 20 years now. I consider myself pretty knowledgeable, more than your typical savvy tech user. In my line of work, security is paramount. Whether it’s around architecture, implementation, ongoing management and operations; security is top of mind.
I have been fortunate enough to work remotely since before the pandemic, and I practice what I preach. My network is segmented, ensuring my critical office equipment is separated from the fun stuff (think smart TVs, garage door openers, mobile devices, etc.), you know, the stuff that's a little bit harder to protect as they are not fully under my control. MAC address filtering is enabled as an extra precaution. Guest users are welcome to connect, but they land in an isolated network that is time-based. I run intrusion detection and prevention at my edge, secure my DNS by blacklisting malicious categories, servers, and so on. IP reputation GeoFencing is also enabled, as I am never going to be communicating with bad actor states. I have full visibility into what is coming and going in my network, and I have at times, enjoyed watching the many thousands of attempts against my network to no avail.
So how did I find myself nearly compromising myself, my family, and even the company I worked for?
It all started with my 8-year-old daughter and her desire to send and receive emails to her Nana and aunties. I couldn't for the life of me find a good/free email address for her that she could continue to grow into. I decided to purchase my own domain and use it with my very own Google Workspace. This gave me the ability to choose whatever I wanted and still maintain control. I added in modern authentication with MFA and biometrics so my daughter wasn't burdened with remembering passwords, because, let's face it, she's 8. So the challenge was accepted and completed.
A week later, I was contacted by my ISP, stating they noticed some unusual behavior on my network and had asked if anything changed since last week.
“Yes,” I responded emphatically. “No need to worry, I have it all under control. I made some recent changes to my router to support this fantastic setup I just brought to life.”
This is where things turned for the worse. “Sir, we are seeing malicious activity coming from your router and we are going to have to shut it down in order to prevent this from impacting our network.”
I briefly laughed on the inside because I run my own equipment and they have no access to it. But then it hit me, fear. Wait a minute, if this is true, have I just compromised the company I work for? All for a personal email address?!? The thought of this shook me to my core. I collected myself, and started asking questions. I mean, the call came from my ISP (at least my caller ID recognized it as such).
“Who are you again? Can you verify your identity?”
He was polite and said he completely understood, and that he would send me a verification text and email. A moment later, I received the text and it resembled every other text/notification I have received from them in the past. I hadn’t received an email yet, since I am in the process of migrating my mailbox right now because I have my own fancy domain. That must be why I didn't get it, I thought.
Okay, now the fear is creeping back in. I am still not sure why my corporate security products didn't catch anything and my IPS/IDS hasn't caught anything.
“What are your suggestions?” I ask.
“Well sir, we need to do a full scan of your network to understand the extent before we can provide any further guidance. Since you own your own equipment, we cannot do it remotely. Please go to our company portal to run our security tools.”
A link was provided, but wait a minute, this is a tiny URL. The ones where you can shorten it to make it easier for your users to navigate. This doesn't seem right. I popped the tiny URL into an online security checker to be sure. To my surprise, it came back clean! I still don't trust this, it seems phishy to me.
I explained that I do not feel comfortable entering this unknown URL into my browser, especially if I had already been compromised. Give me the full URL please. And that is when all my fear was cast aside. The URL given was for a site to download remote access software that was commonly used for hacking. You almost had me sir, not gonna happen, have a nice day.
To sum it up, I made some changes to my home network and received a call from what appeared to be a known source. They had the correct timeline to back it up, and even responded with a text that was in the exact format I would expect. All this, coupled with the gut wrenching fear of me being the potential root cause of compromise at my company was how I was almost hacked. All it takes is a simple misstep to unravel all of the security tools, protocols, and processes that are in place.
I am thankful for Gotham's Security Practice, and all of the continuous security knowledge training they provide, as it has instilled in me to never trust, always verify.