Experienced an unusal incident in which a support user had a unexpected session appear in their queue with the customer name displaying as “ Threatlocker” the support user stated that they had not sent out a support link / key to any clients or was expecting any kind of support connection . At first they thought it could have been a prior client re-opening a old bomgar file. But after verifiying logs can confirm that the prior client’s name was different than “Threatlocker” . Also to note the support user did not interact with the session and attempted to remove the session by right-clicking but was diabled.The session did eventually disconnect on its own. Upon reviewing the logs it seemed that the “threatlocker” cilent was commenting in the session a repeated message over and over again even after a “disconnected” state. I am thinking this could have been a bot of some sort. This instance only happened once and did not reappear . I attempted to do a generic search online to see if there were any similiar instances but did not have any hits. Wondering if anyone else has experienced this? or maybe can get more insight on how common this behavior is for unknown customers to manage to enter our support queue. Thanks
Isn’t it possible to have an internet facing support portal where anyone could in theory request a session, assuming you have that enabled and the person (or bot) finds your site? Or maybe it was an internal threat (or pentest) that found an internal support portal to request a session?
Apologies for my vague response; we lock that down as much as possible and don’t use the queue functionality. Our external page is as minimal as possible and does not allow anyone to request a session from that portal.
Looks like that might be under /Login > Public Portals > {Edit whatever portal you use} > Representative List
This I think would display the list of available representatives on your public portal where someone could click their name to get into their queue? That would be something someone else has to confirm for me though, because again, we have all of that disabled so since our workflow doesn’t work like that and want to minimize what is internet facing.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.