They hacked the CEO!
This week, I received an email from the CEO of a well-known customer experience outsourcer. Nothing particularly unusual about this, considering my job, but a few things stood out. See if you can spot anything suspicious in the following:
Review this [company name] document i uploaded for you carefully.
View here [link], IT IS THAT IMPORTANT!
…and then the actual email signature of the CEO in question.
Yep. That’s right. The email account of the head honcho of a renowned outsourcer got hacked (whether remotely or on-premise, I don’t know: the result is the same). What was at the link, I have no idea; I didn’t click on it to find out. I’m betting it wasn’t an iTunes voucher.
Once I had picked my jaw off the floor I replied to the account explaining that I was assuming it had been hacked and that I wasn’t going to open the file, but that if I was mistaken and the CEO could confirm with a phone call that he had indeed sent the email I would of course be happy to do so. Within a few minutes I received the following:
Thanks for your email – please ignore this message from [the CEO] and do not attempt to open and follow the link.
This is Spam and we are investigating the root cause and believe we now have this under control to stop it sending any more messages.
Sorry for any inconvenience.
XXX (for and on behalf of [theCEO])
Well, that’s reassuring…
Now, if we were a different kind of publication – a breaking-news site, for example, rather than a more journal-esque thought leadership suite – this would have been absolute gold for us. The potential for sensationalism is obvious, and I certainly wouldn’t be anonymising the organisation here. Why am I doing so now? The fact is, I don’t see anything to be gained from naming and shaming here, and plenty to be lost (and just in case you were wondering: no, the provider in question isn’t an Outsource client…).
I think there are plenty of lessons to be taken from this. One is that, clearly, at least one biggish player in the call centre space needs to take a reeeeeeeeeeeeeeeeeally long look at its security policies. For something like this to happen, something’s gone seriously wrong. We shouldn’t succumb to the fallacy of hasty generalisation and tar the whole industry with the same brush, but it is to me deeply concerning that even one incident like this could take place and I hope other providers can take this as a warning not to rest on their infosec laurels.
But, for me, there’s a bigger, if less obvious, lesson here. Let’s return to the original email. It came from the real email account of the CEO (ie it wasn’t a scam account set up with a similar name etc) verified in part by the fact that I had previous communication with him from that same address. It had the logo and email signature of the CEO embedded in it. It seemed, to all intents and purposes, legit.
What made its lack of legitimacy apparent was the message itself. It just doesn’t seem right: whether it’s the desperate block capitals of “IT IS THAT IMPORTANT!”, or the simple lack of courtesy in the command to review the document (which I wasn’t expecting, itself probably the biggest flag of all) this just doesn’t come across as a genuine email from a CEO to a member of the press. (It was also a BCC but I could let that slide as it wasn’t a personalised greeting anyway.)
What if, however, instead of the above drivel, I’d received the following:
I trust you are well and enjoying much-merited success in 2015 thus far. Here at [provider X] we’re going from strength to strength with new wins in the aerospace and automotive sectors and a new office opening up in South Africa later this month.
I thought you might be interested in hearing a presentation I gave recently at [conference X] on our latest Impact Sourcing initiative. This is a big area for us for the foreseeable future and I hope I’ve given, in this talk, a few reasons why – and some insight into the way we’re changing lives whilst adding to our clients’ bottom lines. You can see the presentation here [link to Hell], and I would really appreciate your feedback if you would be so kind as to spare a few minutes at some point.
Or something like that…
Now, I’m not saying you would be foolish enough to click on that link; but I might. I probably would, actually. No, I definitely would. Coming from a CEO of a company of note I would consider it remiss of me not to, all things considered. And I’m sure I’m not the only one.
So the only thing standing between me and a potential security breach (or, admittedly, some iTunes vouchers) is my own ability to discern legit from BS – and if the message had been less obviously the latter, I would have fallen for it. The irony then is that whoever has compromised the CEO’s security has done all the hard work only to be let down by sub-standard content. It’s like (or should have been like) landing a manned rocket on Mars and then not having a stepladder down to the surface.
Moral of the story: good, well-written content is absolutely indispensable, even for cybercriminals.
Oh, yeah, and: sort yourselves out, Company Who Shall Not Be Named. Seriously. #infosecnotonfleek