If your web site offers live chat, be prepared for hackers-"A case Study"

Venustus

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Live chat has become ubiquitous as a sales and support tool for software as a service (SaaS) or cloud based services. Entire businesses have been built around providing live chat, such as Olark (which my company uses) or Intercom. As the CEO and founder of a SaaS business (Sendwithus.com), I had very little question about if we should support live chat; it was just a question of how to offer live chat to our customers.

Like many enterprise platforms, we support adding multiple team members on an account and setting up user permissions like an account administrator. Early last year we were lucky enough to catch an attacker attempting to social engineer our live chat operator and gain access to a Fortune 1000 customer’s account. I say we were lucky because our typical attitude to support is customer focused, always looking to go the extra mile for a customer. I can imagine that, without certain conditions being met, we could have missed this.

For the uninitiated, social engineering is a form of fraud computer hackers often employ to gain access to information or systems by manipulating employees at their target company. An example of this is the 2013 credit card theft from retail mega chain Target.

In our case, the chat session started innocuously enough:

Further reading
 
  • Like
Reactions: Cats-4_Owners-2, shukla44, Rishi and 4 others
DracusNarcrym

DracusNarcrym

Level 20
Verified
Top Poster
Well-known
Oct 16, 2015
970
Social engineering sure is a jack-of-all-trades in a cybercriminal's toolkit.
If they can accomplish to almost bring down an entire corporation by manipulating just a handful of employees, it is certainly obvious what could happen in the case of endpoint users.
 
  • Like
Reactions: Cats-4_Owners-2, frogboy, Rishi and 4 others
H

hjlbx

venustus said:
Live chat has become ubiquitous as a sales and support tool for software as a service (SaaS) or cloud based services. Entire businesses have been built around providing live chat, such as Olark (which my company uses) or Intercom. As the CEO and founder of a SaaS business (Sendwithus.com), I had very little question about if we should support live chat; it was just a question of how to offer live chat to our customers.

Like many enterprise platforms, we support adding multiple team members on an account and setting up user permissions like an account administrator. Early last year we were lucky enough to catch an attacker attempting to social engineer our live chat operator and gain access to a Fortune 1000 customer’s account. I say we were lucky because our typical attitude to support is customer focused, always looking to go the extra mile for a customer. I can imagine that, without certain conditions being met, we could have missed this.

For the uninitiated, social engineering is a form of fraud computer hackers often employ to gain access to information or systems by manipulating employees at their target company. An example of this is the 2013 credit card theft from retail mega chain Target.

In our case, the chat session started innocuously enough:

Further reading
Click to expand...

  • Add any internet facing applications, like chat, to anti-exploit protections (and Guarded Apps list if you use AppGuard).
  • Chat apps should be configured to Low Integrity like Internet Explorer (contact chat app publisher directly and ask them what to do for easiest results = let them do the work or slug your way through the discovery process of how to do it).
  • In the browser chat should be at the same integrity level as the browser - which should be Low Integrity by default or custom configured to run at Low Integrity.
  • Internet Explorer is already set to Low Integrity.
  • Firefox can be configured to operate at Low Integrity.
  • Chrome - I have no idea - since it uses its sandbox I am not sure how privileges work in it.
  • Opera can be configured to operate at Low Integrity.

Search online for tutorials for setting Firefox or Opera to Low Integrity.
 
  • Like
Reactions: Cats-4_Owners-2, DracusNarcrym, Rishi and 1 other person
DracusNarcrym

DracusNarcrym

Level 20
Verified
Top Poster
Well-known
Oct 16, 2015
970
Core components of the Windows security architecture such as integrity mechanism very usually go unnoticed by IT staff responsible for the implementation of security measures in work environments.

After all, it's all a matter of proper research in the already well-established documentation pages provided by Microsoft, since all the necessary utilities for configuring those security mechanisms are provided by the Windows installation by default.

In the case of potential attempts at compromising a system by means of social engineering, i.e. manipulating endpoint users, the integrity levels configured to should shield the targeted endpoint system from the manipulated user's actions or from the actions of a compromised application.
 
  • Like
Reactions: Cats-4_Owners-2, Venustus and frogboy
H

hjlbx

DracusNarcrym said:
Core components of the Windows security architecture such as integrity mechanism very usually go unnoticed by IT staff responsible for the implementation of security measures in work environments.

After all, it's all a matter of proper research in the already well-established documentation pages provided by Microsoft, since all the necessary utilities for configuring those security mechanisms are provided by the Windows installation by default.

In the case of potential attempts at compromising a system by means of social engineering, i.e. manipulating endpoint users, the integrity levels configured to should shield the targeted endpoint system from the manipulated user's actions or from the actions of a compromised application.
Click to expand...

They don't do it because it requires a lot of time and effort.

So, inconvenience is primary deterrent.

Install security soft X-Y-Z and expect it alone to solve all vulnerabilities.

I haven't hardened my OS, because doing so is a long, drawn out process... LOL.
 
  • Like
Reactions: Cats-4_Owners-2, Venustus and DracusNarcrym
DracusNarcrym

DracusNarcrym

Level 20
Verified
Top Poster
Well-known
Oct 16, 2015
970
hjlbx said:
They don't do it because it requires a lot of time and effort.

So, inconvenience is primary deterrent.

Install security soft X-Y-Z and expect it alone to solve all vulnerabilities.

I haven't hardened my OS, because doing so is a long, drawn out process... LOL.
Click to expand...
Well said.

As for the OS-hardening part, I believe we share the same... "opinion". xD
 
  • Like
Reactions: Cats-4_Owners-2 and Venustus
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Live chat sometimes definitely a hassle due to formality process besides on security risk so indeed if you want to seek help or some inquiries make sure that the purpose is something to terminate the contract or request a rebate or other than that.

Because seek help on computer related problems can be solve by your own or known enthusiast.
 
  • Like
Reactions: DracusNarcrym and Cats-4_Owners-2
Cats-4_Owners-2

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
I enjoyed this thread! My wife whom dropped her smartphone early this morning (it now looks as though :eek:ink was spilled upon her display:oops:) & she was just speaking, though not chatting, with our provider's customer service dept. They "verified" she was who she claimed to be by asking her to log onto her account, and they "used proper channels" by verifying her replacement transaction through her email. She'd then intently appreciated my sharing directly from this thread's example of the fails safes set into place to prevent client companies from falling victim to social engineering & fraudulent:confused: lies!:mad: ;)..and this time my voice didn't put her to sleep either!:p
jamescv7 said:
Live chat sometimes definitely a hassle due to formality process besides on security risk so indeed if you want to seek help or some inquiries make sure that the purpose is something to terminate the contract or request a rebate or other than that.

Because seek help on computer related problems can be solve by your own or known enthusiast.
Click to expand...
Agreed!:)
I look forward to canceling our satellite TV in just this way, & a rebateo_O would be marvelous!:D
 
  • Like
Reactions: jamescv7 and DracusNarcrym
You must log in or register to reply here.

Similar threads

R
    • Like
Hot Take Let's Block It! - A companion to the great uBlock Origin content blocker
Replies
2
Views
700
Web Extensions
rashmi
R
nickstar1
    • +Reputation
    • Like
New Update Malwarebytes Introducing the Digital Footprint Portal.
Replies
2
Views
317
Malwarebytes
ForgottenSeer 107474
F
upnorth
    • Like
    • +Reputation
Security News Hackers Stole Access Tokens from Okta’s Support Unit
Replies
3
Views
2,795
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top