“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” according to a copy of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
It is easier to gain access by conning the right person into giving you access than pretty much any other means.
Kevin Mitnick’s book is full of this.
Social engineering is definitely the number one way to gain access, but it should take a bit more effort than just directly asking; ‘hey, can I have your password?’
You can go almost anywhere with a scuffed hard hat, dirty high vis vest, a ladder, worn tool belt, and a clip board.
You can get a lot of people to give you their user login and password with the right email and professional format.
The fact that there are people out there who scam people into giving them thousands of dollars in iTunes cards, gift cards, etc. with a threatening phone call claiming to be the IRS or police should tell you that the appearance of authority is a powerful persuasive tool that can convince a lot of the population to go against logic and reason to do what you want.
I don’t know if you are old enough to remember the Nigerian Prince email scam, but they only had to include spelling or grammar errors to weed out anyone smart enough to be immune to their grift.
50% of people in the US are below the average IQ of 97.4. 14% have an IQ of 70-85 and they work at every company and will fall for scams without much effort.
So yes, people will just give you a password and username if you ask them the right way.
In high school, some friends essentially did the same thing. They fired up the tech support chat, using a real customer’s username that the company included in a screenshot on the homepage as part of their product demo, and told support they needed them to send over the password because so-and-so was out of the office and they needed access. Support sent along full credentials. The software in question was a messaging app that my friends wanted to use on the school computers to chat while in class. Very innocuous, and no real harm or national security concerns.
FBI eventually got involved, and friends got put on double secret probation at school as a result. The dean of students later made an announcement at an assembly that he recently had to expel two students for “sending an email to California”, all this while I was actively sitting next to one of said “expelled” students during the assembly.
Since they were both minors at the time, no real long-term issues came from it. One even worked for the feds for a while after college.
Yeah, using government property for a crime is generally not a smart idea. Lol
Clorox said the clean-up was hampered by other failures by Cognizant’s staff, including failure to de-activate certain accounts or properly restore data.
They snuck this in the last paragraph.
That’s ironic.
having worked with cognizant contractors before this is pretty on brand
It seems that this is not the first time some had asked for password. Perhaps was the first time the hacker asked for it.
