Social Engineering Implications - Improper Logo Usage!

Whenever we do a pentest that has a social engineering phase in it, an important part of the test is to consider all of the parties involved, the vector of attack, and the potential outcome of the attack. By doing this, you

only add the necessary amount of risk to the business required in order to demonstrate the vulnerability.

Either that, or you trigger an emergency alert scenario that goes out to all credit unions on behalf of the NCUA.

This happened during a penetration test being run by a company called "Microsolved" which was being conducted for a specific credit union.

This is a pretty clear example of how a poorly planned social engineering scenario can backfire, and falsely alert thousands of people to a scenario that doesn't exist, wasting potentially millions of dollars in prep time and execution of incident response plans for an incident that didn't exist.

Don't get me wrong, mock scenarios are great for testing plans. They are however, not that great when they

exercise plans of companies who are not involved in the penetration test.

Furthermore, the guy at the bank who was responsible for the pentest apparently went on vacation while the test was occurring:

"But, on the day the package was received, the person responsible for the test was out of the office. So the employee who received the suspicious letter, which bore a NCUA logo and the bogus signature of former Chairman Michael Fryzel, reported it to the NCUA fraud hot line."

The other part of this story that I found fascinating is the NCUA's response to all of this, which pretty clearly had little to no executive involvement, and wasn't reviewed by anyone with responsibility for security or compliance. They say, and I quote:

“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business, such as a computer security assessment."

Seriously? The federally sponsored organization that supervises federal credit union activity is more concerned with....improper logo usage than they are with the implication that they were tricked into sending out alert letters to nearly 8000 companies.

I guess I'd better take this Kellog's sticker off my sniper rifle. They might get the wrong idea about me being a cereal killer.