Home > Cyber News > How Easy It Is To Hack an Organization
CYBER NEWS

How Easy It Is To Hack an Organization

online-security-sensorstechforumSecurity researchers Aamir Lakhani and Joseph Muniz have demonstrated how easy it is to prepare a hack attack at a given company. The researchers have illustrated the main issues when it comes to larger companies and their security. They report that the unlike the typical focus on security which lies within strong password policies and good protection software and hardware.

Using nothing but one or two photos, some clever social engineering, and malware, the hackers were able to compromise a U.S. government agency’s security.

The hackers have successfully used a fake Facebook and LinkedIn profiles to send out malware concealed within various Christmas cards. This malware was uploaded to a malicious website that caused the infection when the Christmas card was opened.

Using social engineering, funnily enough, the hackers were able to convince an employee to even send a working laptop along with it’s passwords and usernames to the fake employee.

But this was just one aspect of the hack. The hackers managed to get away with passwords, stolen documents, and other important information. Not only this but the hackers also gained full “read and write” permissions on some devices, allowing them to install other malware on the computers as well, like ransomware, for example.

How Muniz and Lakhani Pulled It Off

The first stage of the hackers operation was the preparation stage. In it, they have designated pictures of a female employee named Emily, of another organization, who is not exactly tech savvy and worked in a restaurant not far from the agency’s facility. Then the hackers were able to create a fake identity by creating:

  • Fraudulent social security number.
  • Place of residence.
  • Fake University degree that makes her an IT specialist from Texas UC.
  • Fake information on working previous jobs in the field.
  • Fake phone and other data that may develop Emily into a fake identity.

The second stage of the hackers was to build up the fake identity. They have started adding friends of the fake identity that have nothing to do with the woman on the picture to minimize the risk of someone recognizing the profile as fake and reporting it.

Surprisingly enough, several hours later the hackers managed to gather several hundred friends in the profile by simply adding them. The hackers managed even to persuade one of the people who added the fake profile to know the person from it by using information from the victim’s profile.

Then the cyber-criminals updated the status of the person as a new employee in the government agency. Then, they begun to add people who are working in the agency and they added employees from different departments like HR, technical departments and others.

As soon as the hackers have built up some audience, they have created the perfect opportunity to make their attack. From there, they used malware and targeted the employees via social engineering to cause a successful infection.

What Can Be Learned from This

The biggest risk In organizations is the human factor so it is very important always to know what information you have released publicly to others since this information may turn to be your weakness, just like the hackers did with Emily’s fake profile. It is also very important to raise awareness and educate everyone in a given organization to be extra cautious and always asses the risk in situations where they do not feel confident.

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:
Twitter

1 Comment
  1. SandraFes

    Thanks, exactly what is needed, i as well believe this is a very superb website.
    This is actually the kind of information i have been trying to find.
    Have a good day.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree