A large domain name registrar and a hosting provider simultaneously contacted HackControl. According to the customers, despite their high level of standardization of all employee actions and a regulation on communication scenarios with clients, unauthorized actions with clients’ domains had became frequent.
The internal audit showed no problems and it was decided to conduct a socio-technical testing from a 3rd party. So we sign contract for Phishing Simulation and Social Engineering. As a result of the testing, a mailing to the customers’ employees was conducted in order to obtain the classified information and get unauthorized access to their corporate resources.
All employees received phishing emails from popular web-services and internal system alerts during a month.
As a result of such phishing mailing, we managed to take possession of a number of employees’ usernames and passwords which coincided with the working passwords of their corporate emails.. Despite the success of the attack, access to the internal infrastructure on the client’s side was not obtained due to additional restrictions introduced by their IT staff (trusted devices and trusted IT addresses).
After the testing, the customers were asked to participate in our anti-phishing training ran by our security experts and also advised to have internal meetings with their staff on the issue, thus significantly increasing their level of cybersecurity awareness.