IT Support Agent at Canadian Telco Rogers Provides Imposter Employee with Company Email Access

Hackers distributed records on corporate clients of Rogers Communications via Twitter, after tricking a Rogers tech support employee into divulging network credentials. 

Patricia Trott, a spokeswoman for the Toronto-based Internet and phone provider, said a “third party” accessed a “single e-mail address of one of our enterprise sales employees, who managed a small number of medium business accounts.”

The breach was due to “human error” as opposed to “system error,” she said.

On March 1, an unidentified Twitter user using the handle @TeamHans_ posted a link to a zip file containing copies of dozens of contracts for telecommunications services, as well as e-mail correspondence from the Rogers sales employee.

The contracts appear to relate to medium-sized businesses that were part of the portfolio managed by the employee. They indicate the number of data or voice lines purchased as well as the prices the business customers paid. Consumer accounts were not affected.

The website Databreaches.net apparently interviewed the individuals behind the @TeamHans_ Twitter account, who explained how they tricked the Rogers IT support agent:

We went searching for a medium- level Rogers employee, and we ended up with Antonio Marino. We called Rogers IT Support desk and convinced the IT Specialist that we were employees at the company and we needed some assistance regarding another employee. She was more than happy to assist us, and asked us what we needed. We asked for an employee ID and his answers for his security questions. She gave them, we thanked her, and called back as Antonio Marino.

They asked what we needed, I said I forgot the password to my corporate Outlook account, he asked us two security questions (birthday and zipcode), which we answered correctly, and he then changed the password for us.

Upon signing into Marino’s Outlook, we forwarded all the emails to an email address, and we proceeded to download all the emails and include that with the release.

In poring through Marino’s e-mails, the hackers noticed a strange tool, they said:

So we did some digging and found out the tool was used for contracts (creating and viewing), so we went on the site http://rogerscontracttool.ca/ and signed in with the details our lovely friend at IT gave us. We then proceeded to download all of the contracts (which we also included in the dump). After that, we did some more skimming and realized something known as “IT Portal” from his emails. We went to that site, same details, and signed in. In there we managed to find the Rogers VPN with an employee profile, an employee copy of McAffe, and some other tools within it. So voila, we now have all of the contracts, all of the Rogers employee tools, as well as sensitive emails regarding the company.

TeamHans, which reportedly comprises three hackers, including @MarxistAttorney and ffx0, told DataBreaches.net that the motive money. The digital trespassers wanted to 70 bitcoins from Rogers in exchange for not revealing the hack or dumping the corporate information. When Rogers wouldn’t pay, they dumped the data.

Databreaches.net speculates that, as of Feb. 25, Rogers was aware that Marino’s e-mail had been hacked, pointing to this leaked internal e-mail:

From: Iftequar Syed
Sent: Wednesday, February 25, 2015 9:42 AM
To: Marcus Elson
Cc: Michael Gibson
Subject: IN1076520 – Email has been hacked

Hi Marcus

Have this user at the IT Staging Window and apparently his email has been hacked and have received threatening emails concerning him and his family and he got a call to check his email.

Additionally when he called IT Support to open a ticket they created an IN107652 was opened and when IT Support’s email came to his mailbox he got another call from the hacker about this.

The ticket was assigned to the wrong queue assigned it currently to RCI-ISCF.

Needs immediate and Urgent attention, please contact the user Antonio Marino @ [Redacted by DataBreaches.net].

Thanks & Best Regards

- There was nothing found going out to, or coming in from, the specified “ffx0″ email address but there was other activity found when traces were run again *@openmailbox.org.
– A large number of Antonio’s corporate emails were forwarded to 2 suspicious looking email accounts on Feb 21st – [redacted by hackers] and [redacted by hackers] (146)

Some of the internal e-mails allege that the hackers called Marino, knew a lot about his family, and threatened to kill them if they weren’t paid.  The hackers told Databreaches.net that they strongly deny claims they ever threatened any violence against Antonio Marino or his family.