.png?width=400&height=225&name=CAM_BlogPost_Images_Roger%20(1).png)
It can happen to the best of us.
This story happened a decade ago, when I was working at a Fortune 10 company. “Smartest” is subjective, but most of my former coworkers and external customers agreed the guy involved in this story was seen as the “smartest” guy around.
One day, while preparing to watch the Super Bowl, he received an email from an employee of another company with whom he was working on a major joint project. The email said that the other employee had found a document related to the project they were working on and that he should read it. As he opened the document, he saw a quick command prompt box open up and close, almost too fast to really notice.
He was also surprised to see the document had nothing to do with the project they were working on. As he closed the document, he wondered why the other project team member had sent it. “Oh, well.”, he thought. He had more important things to do as the Super Bowl was starting.
That “Oh well,” feeling is personified by the fourth and final Arcade Villain on our Cybersecurity Awareness Month rogue’s gallery this year: The Doppelgänger.
The Doppelgänger lives in many of us, telling us that simply ignoring a phishing attempt or a possible malware infection is best for all. They can look for all the world like we know them; like they’re to be trusted. But their call cannot be heeded.
Back to Our Story
As the hours went by, our “smartest guy in the room” began to wonder about that quick little command prompt window he saw open and close. He wondered whether it could have been part of a booby-trapped document, and what he had seen was some malicious commands being quickly executed.
But he hadn’t really seen anything. If it was malicious, he was worried about what the company would say about him being socially engineered into launching malware. He would be embarrassed. Everyone in the company thought he was so smart.
Another hour went by.
Finally, he was really bothered by the quick black command prompt window he saw and he decided to report what happened to the Help Desk. Within 30 minutes, the IT security team was able to confirm that a backdoor written in Microsoft PowerShell had been executed and was now installed on his laptop, waiting for its distributor to connect to it. The other project team member’s email account had been compromised and used to send the rogue email with the bobby-trapped document.
Luckily, the IT security team was able to determine the intended hacker had not yet connected to his backdoor. Nothing on the laptop or network had been compromised. IT security was able to search for other instances of the backdoor trojan in email and found nearly 100 other emails targeted at other executives within the company. Four of them had been executed, but like the original employee, none had yet been connected to by the hacker. But none of the other instances had yet been reported.
It was only because the original victim reported it, albeit hours late, that the company likely avoided a compromise, unauthorized information disclosure, and potentially a bad ransomware event.
Incident Reporting: The Antidote to The Doppelgänger
It is super important that attempted phishing and malware infections be reported to the appropriate organizational channels (e.g., Phish Alert Button, IT security, the Help Desk, etc.), even if you only suspect it and cannot confirm it. Reporting suspected phishing and malware can only help the organization’s resilience. It allows IT to investigate the incident, confirm it if it is a real attack, and protect not only the original reporter, but everyone else in the organization.
Reporting potential phishing or malware incidents is the safe thing to do. So, don’t listen to The Doppelgänger. Report all suspected or confirmed security incidents. Your report may save you and the company a lot of headaches and hassles.
