Social engineering, in the context of IT, often refers to the manipulation of people to perform actions or give up confidential information.
As long as there has been any proprietary or private information, bad actors have been attempting to steal it. Recently, with the acceleration of technology and the accessibility to the internet, hackers have refocused their strategy. Where, in the past, an assailant would be required to be physically in the room to breach a system, now a simple email is all that is necessary.
The goal of such an attack is to extract information, commit fraud, or gain system access by tricking an unsuspecting user by gaining their confidence.
Naturally, as technology becomes more widely adopted, there has been an uptick in such attacks. Social engineering attacks are worth keeping an eye on. At the very least, to monitor your company’s vulnerabilities.
The Sony Pictures Hack
On Monday, November 24, 2014, many of Sony Picture’s employees began to see skulls appearing on their computer screens with software rendering their machines inoperable. It was quickly discovered that many of Sony’s official Twitter accounts had been compromised as well. A group identifying themselves as the Guardians of Peace took credit for the hack and began to issue demands. They claimed that they were in possession of over 100 terabytes of stolen data and would start releasing it if their demands were not met.
Unfortunately for Sony, the e-mail, outlining the demands of the group, was missed, likely caught up in a spam filter or the daily barrage of messages we are all used to receiving. Shortly after the deadline for the demands had passed, Guardians of Peace began leaking unreleased films to social media. In addition to unreleased content, they also leaked personal information about employees of Sony Pictures including their families, inter-office e-mails, salary information, and more.
Guardians of Peace then demanded that Sony stop production on its upcoming film, The Interview. This film, a comedy produced and directed by Seth Rogan and Evan Goldberg, had a plot to assassinate North Korean leader Kim Jong-un. The group then threatened attacks on movie theaters that were intending to screen the film. Eventually, after much public out-cry and theater chains opting not to screen the film, Sony scrapped the film’s premiere and release.
Though it seems that the main aim was to take down the film, the information leak may be deemed as more disastrous to Sony. Emails showing that female actors Amy Adams and Jennifer Lawrence were paid less than their male co-stars were revealed amongst other embarrassing and racist private emails from producers and (then) Sony Executive Amy Pascal. The Interview was eventually released digitally, for free.
The fallout for this hack continued with multiple government agencies becoming involved. An investigtation on whether North Korea itself had purpotrated the hack was launched. Additionally many organizations such as Color of Change called for the firing of Amy Pascal who was eventually dismissed.
A caveat to the hack, however, is that the gender pay debate quickly became a mainstream conversation.
Target Data Breach
In 2013, hackers accessed over 40 million of Target customers’ credit and debit card information through a large scale social engineering attack on Target’s point-of-sale (POS) systems. The systems were infected with malware, confirming what security experts suspected since the massive data breach was announced in December of that year. What is interesting is that it was discovered that hackers went through another company to get to Target. It was later announced that information such as names, emails, addresses, and phone numbers of an additional 70 million customers had also been stolen.
A PoS attack such as this is often called a “RAM scraper.” The term originates from the way the malware scans a point-of-sale terminal’s random access memory (RAM) for transaction data with the intent to steal it. When a card is swiped, the data encoded on the magnetic stripe is passed along with the transaction request to the payment application and then on to the company’s payment processing provider.
Target made many mistakes that eventually lead to this attack.
First, Target gave remote access to its network to its HVAC vendor Fazio Mechanical Services. This company was then targeted with a phishing email that installed malware onto their system. The hacker then used this to route into Target’s network, installing malware that recorded and extracted the information for every credit and debit card used on an infected machine.
At the end of 2015, Target announced a loss of $162 million due to data breach-related fees.
Note: Learn everything you need to know about data breaches, causes, methods and what to do about them in our article What Is a Data Breach.
2016 Democratic National Committee Email Leak
In June and July of 2016, during the 2016 Democratic National Convention, an e-mail leak occurred that was allegedly obtained by Russian intelligence agency hackers. The leak, published by DCLeaks and WikiLeaks, included e-mails from seven key DNC staff members as well as the governing body of the United States Democratic Party, totaling 19,252 emails and 8,034 attachments.
The leaked documents suggested that the party’s leadership had attempted to sabotage Bernie Sanders’ bid for President. In response, the chair of the DNC, Debbie Wasserman Schulz, resigned. Once the convention wrapped, DNC CEO Amy Dacey, CFO Brad Marshall, and Communications Director Luis Miranda also resigned.
Though WikiLeaks founder, Julian Assange, has stated that his source of the e-mails was not Russian, on July 13, 2018, Special Counsel Robert Mueller indicted 12 Russian military intelligence agents allegedly responsible for the attack.
On July 22, 2016, more than 150,000 additional e-mails, stolen from personal Gmail accounts or accounts linked to the DNC hack were released to the DCLeaks and WikiLeaks websites. It turns out that the hack was perpetrated via a simple case of spear phishing. The hackers sent an email that looked just like it had been sent by Google requesting that the user click a bit.ly link to reset their password due to malicious activity on their accounts. This successfully tricked people into entering their information, giving complete access to the hackers. Once they were in, the hackers started to release information.
On August 12, 2016, DCLeaks released information about more than 200 Democratic lawmakers that included personal cell phone numbers.
Associated Press Twitter Accounts
In April of 2013, the Associated Press’ (AP) Twitter account posted a tweet stating, “Breaking: Two Explosions in the White House and Barack Obama is injured” to it’s more than 2 million followers.
In the 3 minutes that the tweet was public and the account compromised, the DOW had plummeted 150 points, equivalent to $136 billion in equity market value.
The Associated Press received an email that appeared to be from others within the company. In fact, the email was from the Syrian Electronic Army. The email included a link that led to a page requesting the login details for the AP Twitter account. That the name in the ‘From’ field of the email didn’t match the name in the signature line was the only clue that the email was fake.
Once the attackers had the login details, the Syrian Electronic Army posted a single tweet, sending the financial market into chaos.
Though the impact of the tweet was quickly contained, there is no telling how devastating an effect on the economy this type of attack can do.
Similar attacks have been used to shift markets with false information. In August of the same year, information began to spread on Twitter that suggested Syrian President, Bashar al-Assad had been killed. This sent the price of crude oil spiking.
RSA SecurID Cybersecurity Attack
On March 17, 2011, it was announced that RSA had been the victims of an “extremely sophisticated cyber attack”.
The breach began with a spam email that purported to come from a recruiter. Four employees at RSA opened the attached spreadsheet where a 0day (zero-day attack) Flash exploit was buried inside. This installed backdoor access to their computers which put the whole system in jeopardy.
RSA initially denied that any information the hackers gained access to could be used against its users. However, there are reports that the breach involved the theft of RSA’s database mapping token serial numbers to the secret token “seeds” that were injected to make each one unique. Further reports that RSA executives were telling customers to “ensure that they protect the serial numbers on their tokens” lend credibility to this theory.
The breach was estimated to have cost EMC, which is the parent company of RSA, $66.3 million.
In April of 2011, there were rumors of L-3 Communications being attacked as a result of the RSA breach. Moreover, in May of the same year, Lockheed Martin thwarted its own attempted breach from the RSA attack.
Yahoo! Security Breaches
In 2016, the one-time internet giant, Yahoo!, reported two significant data breaches had occurred, compromising user data.
The first breach occurred in 2014 and compromised half a billion user accounts. The second, in August of 2013 was initially believed to have affected over 1 billion accounts. In reality, in October 2017, it was disclosed that all 3 billion user accounts were impacted. A simple spear-phishing email to a semi-privileged engineer was all it took to compromise all the customer accounts at the company.
Both breaches, individually and combined, are considered to be the largest discovered in the history of the internet. Compromised details include names, e-mail addresses, phone numbers, security questions (encrypted or unencrypted), dates of birth, and passwords. Furthermore, the breach was used to falsify login data, allowing hackers to grant access to any account without the use of a password.
The data accessed in the incident was put up for sale on the dark web and no doubt used by others for their scams.
Yahoo! has been criticized and publically shamed for the length of time it took to disclose the breach. The breach ultimately impacted the sale of the company to Verizon. Initially, the sale was estimated to be at $4.8 billion but decreased over $350 million after the disclosure.
15 Year Old Kane Gamble & The CIA
He may have been only 15 at the time, but Kane Gamble successfully used social engineering to get into the email accounts of CIA Director John Brennan and James Clapper, Director of National Intelligence, amongst others. This gave him access to highly sensitive military documents and intelligence operations in Iraq and Afghanistan.
Gamble used vishing (phishing via the phone) to persuade Verizon to reveal information about Brennan which he then used to impersonate Brennan when he contacted AOL. His method was simple but efficient, leading him to change security questions and numbers and gain access to many other accounts. He also managed to set up an auto-forward service directing phone calls from Clapper’s home to the Free Palestine Movement.
Gamble’s other targets included:
- Jeh Johnson, the then-Secretary of Homeland Security
- Mark Giuliano, FBI’s Deputy Director at the time
- John Holdren, the senior science and technology adviser to former US president Barack Obama
- Avril Haines, the White House deputy national security adviser
- The US Department of Justice
In April 2018, Gamble was sentenced to 2 years detention, and all his computers were seized.
Get Started With Social Engineering Prevention Today
All of these social engineering attacks show that simplicity is often the best way to gain access to a system. People are the most vulnerable point in any business. Whether the attacker went through some people or just required one person’s details, it is remarkable how quickly any socially engineered attack can escalate.
It’s important to remain vigilant in your security. Question every type of communication you receive and always be on the lookout for potential threats, no matter how small they may seem.