Hackers pose as employee and get corporate email password

Mar 2, 2015 23:59 GMT  ·  By
Hackers posed as a company employee and received answers to security questions
   Hackers posed as a company employee and received answers to security questions

A group of hackers calling themselves Team Hans managed to gain access to corporate information belonging to Canadian telecommunication and media company Rogers Communications relying mostly on their charm.

The hackers announced their success on Twitter and also provided a link to the information they grabbed, in support of their claims.

The dump is over 400MB in size and contains contracts with corporate customers, business emails, sensitive employee information (ID, documents), as well as credentials for the VPN (virtual private network), which would allow access to the internal computer infrastructure of the company.

"Ask and it will be given to you"

According to the hackers' account of the incident, published by DataBreaches, the intrusion was possible by convincing someone from the support desk to provide the ID and the answers to the security questions for a mid-level employee (commercial account manager) by the name Antonio Marino. To pull this off, the hackers pretended to be themselves employees of Rogers Communications.

After obtaining the sensitive information, they called back, this time impersonating Marino and asking for the password for the corporate Outlook account, which they got by providing the correct answers to the security questions, as required by the procedure.

Hackers' blackmail plan failed

Sifting through the employee’s emails, the hackers managed to reach the company’s internal network and exfiltrated all the data they deemed important.

Team Hans gained access to the corporate network on February 20 and they tried to blackmail Rogers Communications for 70 bitcoins (currently $19,160 / € 17,140) in exchange for keeping the stolen data private; but the company did not pay, so the hackers dumped everything into the public domain.

According to a statement from the company, Team Hans accessed business agreements that included business names, addresses and phone numbers along with pricing details. No personal information was included in the contracts, or other data that could lead to compromising banking accounts.