iphone text compromise - any thoughts? Spoofed phone #

You can send text from any number and spoof it.  The phone numbers can also be spoofed.  There is no security measure to text messages and there's not much you can do about it if they already have a company contact list.  Train the users not to click and respond to text from unknown numbers and block them.

Don't use SMS for important or "secret" information.  Use Whatsapp, Line, Signal, or anything with full End to End encryption for messaging.  Use an app that has a way of verifying the user.

SMS is extremely insecure.

Hey Serial

I hope you have been doing well.  What I can't figure out is how they could have gained access to 3 people in his contacts..  That is what bothers me.   All three people would have at one point or another texted all/any of the individuals so  we actually wouldn't have a clue as to where the compromise took place.  The presidents phone could be completely clean!  How would you proceed?  Monitor for now?  One of the emps is now an ex-employee so her phone is off limits physically.  Probably not worth wiping his phone - agreed?

Do you suggest to clients to use secured apps for texting, I guess it is difficult to have people change what they are used to using from their carriers.

Thanks so much for your reply!

In a security bubble (CEO plus top managers and finance), all phones should only use official apps, and a secure way of communicating (of which SMS/TEXT is NOT). That would mean, Telegram or Signal, and not trusting anything else. Setup all contacts, create the groups. After that, nothing changes, and any change will be suspect.

Just know, even then, still for bigger decisions, PHONE CONTACT. CONFIRM BY VOICE. That is because if someone falls for a phishing/social engineering scam, such a text could still be from someone else.

Don't blindly wire millions of dollars to another company, just based on a secure line of communication, ALWAYS double check (yes it happened before to big companies).

And for other things, just make sure all your cloud services have MFA enabled. If the phone was compromised, it wouldn't be a spoofed message, it would be the real message from his phone.

If it's just 3 individuals, how do you know there is any compromise at all? I would think that if there was a compromise of his phone, the sms would have gone out to everyone in his contact list, not just 3 people. With a target group so small, it could simply be someone with knowledge of those 3 people's numbers.

Hey Kim

He uses his one phone as his only means of texting to all friends/family/business associates.  Nothing was discussed legitimately from his text messages ever about payment, but I would imagine that, might be the intent of the person texting as if he is the CEO with a signature within the texts to the recipients that he is CEO.  He never does sigs in a text, or requests fund transfers.

I am just curious how the addresses were obtained... As well as if there was a way to trace it,  Thanks so much for your suggestions and feedback!

Hey Gr8gonzo

Thanks for the reply yet another good point you have.  It  "appears" like a compromise because 3 individuals two of which are current employees one is no longer received the text, but we don't know if anyone else has.

Can't really think of anyone who would do it intentionally, so was trying to plat tech detective to see how we can find out how this miscreant was able to obtain the addresses.

Thanks for your reply!

Before being too concerned consider two things:

How it was done

What impact it has

How

Does the company have a website and/or Linkedin etc, which would reveal the CEOs name and possibly e-mail address? could that same place also reveal the other users who were targeted?

If yes, that's all that is needed to create this scam. Unless you feel the SMS message included info that could only have been taken from CEO's phone I'd stop assuming the phone has been hacked,

What Impact

It's good to be cautious but if the staff spotted something was wrong and didn't fall for the scam I'd give them a big well done, possibly even a small bonus, and use it as a teaching exercise for the entire staff.

No harm in encouraging a password change or some AV/malware scans, but I don't see any need to wipe phones at this point.

Hey Steve

Thank you so much for taking the time to respond. Yes to the website, linked in etc. CEOs name definitely showing. No cell #s are on website, they used texting not e-mail.

The only thing that "may" implicate the person's phone is that one of the people receiving the message was a former employee, and she would have been in his contacts.  Actually more likely than not would have been in all other emplyeeslocal address book as well.

So far no damage.  It could be the last of it.  Just trying to decide if it makes sense to wipe his phone.  I say change e-mail password, see if there is an av scan that can be run on an iphone, make sure it is up to date, and monitor to see if it occurs again.

The concerning part is how were the cell #s obtained, that is what is bothering me....

Thanks!!

There are many ways in which the cell numbers could have been gained. Their numbers may be on their email signature. it could be on websites or held in a 3rd party system. Maybe some cheeky devil has called reception and faked their way into getting someone's number. Social engineering methods are crazy but work so easily. 

I'd say take sensible precautions on the CEOs phone/passwords etc but don't go wiping stuff unless you have specific evidence the phone is the source (unless the CEO is happy to and doesn't feel it will cause any issue)

There are 3rd party companies out there that collate and list employee(mostly exec) names, positions, and contact information that they've gathered through websites and pretexting cold calls.  If the caller reached out to an ex-employee, those numbers may have been gathered from one of those sites which usually will have some outdated data, as not everyone will tell them when an employee has been replaced.

I got called several years ago by one of those companies.  They start by asking if an ex-employee was working at the company.  When they asked who was the replacement and started asking about other employees, I asked who they were and why they were calling, and looked up their company name.  I had to cut them off and told them I couldn't provide details.  Pretexting is quite devious.

When I hung up, I notified all the employees not to answer questions about who worked at the company, without pre-authorization from HR.  The page had a list of all the execs from a previous time.  They had lists of employees from numerous companies.  Many from scraped from corporate web sites and company incorporation, but also from pretexting calls.

Hey Serialband

Thanks so much again for sharing!

Your question was asking for ideas, so the comments that provided ideas should be considered solutions. There were quite a few good comments from different people here, worth selecting as solutions (not mine, but others).