Security researchers Aamir Lakhani and Joseph Muniz have demonstrated how easy it is to prepare a hack attack at a given company. The researchers have illustrated the main issues when it comes to larger companies and their security. They report that the unlike the typical focus on security which lies within strong password policies and good protection software and hardware.
Using nothing but one or two photos, some clever social engineering, and malware, the hackers were able to compromise a U.S. government agency’s security.
The hackers have successfully used a fake Facebook and LinkedIn profiles to send out malware concealed within various Christmas cards. This malware was uploaded to a malicious website that caused the infection when the Christmas card was opened.
Using social engineering, funnily enough, the hackers were able to convince an employee to even send a working laptop along with it’s passwords and usernames to the fake employee.
But this was just one aspect of the hack. The hackers managed to get away with passwords, stolen documents, and other important information. Not only this but the hackers also gained full “read and write” permissions on some devices, allowing them to install other malware on the computers as well, like ransomware, for example.
How Muniz and Lakhani Pulled It Off
The first stage of the hackers operation was the preparation stage. In it, they have designated pictures of a female employee named Emily, of another organization, who is not exactly tech savvy and worked in a restaurant not far from the agency’s facility. Then the hackers were able to create a fake identity by creating:
- Fraudulent social security number.
- Place of residence.
- Fake University degree that makes her an IT specialist from Texas UC.
- Fake information on working previous jobs in the field.
- Fake phone and other data that may develop Emily into a fake identity.
The second stage of the hackers was to build up the fake identity. They have started adding friends of the fake identity that have nothing to do with the woman on the picture to minimize the risk of someone recognizing the profile as fake and reporting it.
Surprisingly enough, several hours later the hackers managed to gather several hundred friends in the profile by simply adding them. The hackers managed even to persuade one of the people who added the fake profile to know the person from it by using information from the victim’s profile.
Then the cyber-criminals updated the status of the person as a new employee in the government agency. Then, they begun to add people who are working in the agency and they added employees from different departments like HR, technical departments and others.
As soon as the hackers have built up some audience, they have created the perfect opportunity to make their attack. From there, they used malware and targeted the employees via social engineering to cause a successful infection.
What Can Be Learned from This
The biggest risk In organizations is the human factor so it is very important always to know what information you have released publicly to others since this information may turn to be your weakness, just like the hackers did with Emily’s fake profile. It is also very important to raise awareness and educate everyone in a given organization to be extra cautious and always asses the risk in situations where they do not feel confident.