Notifications & Messages

Jared Hamilton
From: Jared Hamilton
Hey - It’s time to join the thousands of other dealer professionals on DrivingSales. Create an account so you can get full access to the articles, discussions and people that are shaping the future of the automotive industry.
×
Yeveny Kuznetsov

Yeveny Kuznetsov Security Professional

Exclusive Blog Posts

How Selling Parts Online Can Boost Your Dealership Revenue

How Selling Parts Online Can Boost Your Dealership Revenue

RevolutionParts has always experienced record numbers on Cyber Monday. Every year, it sets the new record for highest part sales day for dealers using …

WEBINAR RECORDING - Understanding the Road Ahead: New Strategies for Your New Customer Base

WEBINAR RECORDING - Understanding the Road Ahead: New Strategies for Your New Customer Base

Watch this webinar recording to explore the current state of automotive consumer expectations, beginning with the historical precedents and recent up…

The KPI Cafe Returns on Monday with Brent Wees!

The KPI Cafe Returns on Monday with Brent Wees!

We're back! The #KPICafe returns on Monday with a truly impactful session that features one of our favorite people, Brent Wees. The title mig…

Fix The Root Cause: The Problem Behind the Problem

Fix The Root Cause: The Problem Behind the Problem

If an "easy button" really existed we'd all have it jammed by now. Effortlessly fixing one issue at a time. Unfortunately, that's not how…

Don't Be that GM

Don't Be that GM

The General Manager role isn’t an easy one, nor is it a role for the faint of heart. You need thick skin…. But that doesn't mean we don&rs…

Simple Elegance of the Twitter Hack

The next time a salesperson says cold calls don't work, ask them if they understand how Twitter was hacked. It didn't start with some complex code: it was cold calls.

A 17-year-old from Florida was able to talk their way into enough access to take over Twitter accounts of Barack Obama and Elon Musk. Your BDC should be able to unload that Caravan. 

But that's not why dealers should care about the Twitter attack. Without proper and recurring training, any business can fall victim to a social engineering attack like the one that hit Twitter (technically referred to as a "phone spear phishing attack").

For the hacker, it's as simple as picking an existing vendor and providing the A/P clerk with some misdirection.

Here is an example of a phone spear-phishing attack we used in a penetration test of one dealership's cyber defense:

  1. 1 - Using the public-facing code on the dealer's website we identified [REDACTED] as the vendor the dealer was using for service scheduling.

  2. 2 - Acting as the A/R team from [REDACTED], we placed a call to the Service Manager to let them know they could save money by switching to a new electronic payment system.

  3. 3- After giving us a hard time for not letting them know sooner, the Service Manager happily routes our call to A/P

  4. 4 - Once on the phone with A/P, it's a simple pitch "we've been trying to contact you. What's your email? Sending you a link now. Simply fill out your payment info, and you'll see 5% off your next invoice."

For this test, we didn't start with A/P as the first contact. Beginning with the Service Manager and having them transfer the call increases the chance that Accounting will view the request as legitimate. As far as the A/P Clerk is concerned, the Service Manager wouldn't transfer a call they didn't know was legitimate.

This simple penetration test helps us answer several questions from "Is the team trained to ask the right questions to help spot fraud?" to "Does the store have minimum network protections to stop users from accessing malicious links?"

Social-engineering based attacks work because they are simple, and we all want to believe the best in people. The only way to protect your business from attacks like the one that befell Twitter is constant training and testing.

For more information about how penetration testing can help you find holes is your cyber defense, contact dlrSec today: info@dlrsec.com.

 Unlock all of the community & features  Join Now