Como é fácil invadir uma organização

line-security-sensorstechforumOs pesquisadores de segurança Aamir Lakhani e Joseph Muniz demonstraram como é fácil preparar um ataque de hack em uma determinada empresa. Os pesquisadores ilustraram as principais questões quando se trata de empresas maiores e sua segurança. They report that the unlike the typical focus on security which lies within strong password policies and good protection software and hardware.

Using nothing but one or two photos, some clever social engineering, e malware, the hackers were able to compromise a U.S. government agency’s security.

The hackers have successfully used a fake Facebook and LinkedIn profiles to send out malware concealed within various Christmas cards. This malware was uploaded to a malicious website that caused the infection when the Christmas card was opened.

Using social engineering, funnily enough, the hackers were able to convince an employee to even send a working laptop along with it’s passwords and usernames to the fake employee.

But this was just one aspect of the hack. The hackers managed to get away with passwords, stolen documents, and other important information. Not only this but the hackers also gained full read and write permissions on some devices, allowing them to instalar outros tipos de malware on the computers as well, como ransomware, por exemplo.

How Muniz and Lakhani Pulled It Off

o primeira etapa of the hackers operation was the preparation stage. Iniciar, they have designated pictures of a female employee named Emily, of another organization, who is not exactly tech savvy and worked in a restaurant not far from the agency’s facility. Then the hackers were able to create a fake identity by creating:

  • Fraudulent social security number.
  • Place of residence.
  • Fake University degree that makes her an IT specialist from Texas UC.
  • Fake information on working previous jobs in the field.
  • Fake phone and other data that may develop Emily into a fake identity.

o segundo estágio of the hackers was to build up the fake identity. They have started adding friends of the fake identity that have nothing to do with the woman on the picture to minimize the risk of someone recognizing the profile as fake and reporting it.

Surprisingly enough, several hours later the hackers managed to gather several hundred friends in the profile by simply adding them. The hackers managed even to persuade one of the people who added the fake profile to know the person from it by using information from the victim’s profile.

Then the cyber-criminals updated the status of the person as a new employee in the government agency. Então, they begun to add people who are working in the agency and they added employees from different departments like HR, technical departments and others.

As soon as the hackers have built up some audience, they have created the perfect opportunity to make their attack. De lá, they used malware and targeted the employees via social engineering to cause a successful infection.

What Can Be Learned from This

The biggest risk In organizations is the human factor so it is very important always to know what information you have released publicly to others since this information may turn to be your weakness, just like the hackers did with Emily’s fake profile. It is also very important to raise awareness and educate everyone in a given organization to be extra cautious and always asses the risk in situations where they do not feel confident.


Ventsislav Krastev

Ventsislav é especialista em segurança cibernética na SensorsTechForum desde 2015. Ele tem pesquisado, cobertura, ajudando vítimas com as mais recentes infecções por malware, além de testar e revisar software e os mais recentes desenvolvimentos tecnológicos. Formado marketing bem, Ventsislav também é apaixonado por aprender novas mudanças e inovações em segurança cibernética que se tornam revolucionárias. Depois de estudar o gerenciamento da cadeia de valor, Administração de rede e administração de computadores de aplicativos do sistema, ele encontrou sua verdadeira vocação no setor de segurança cibernética e acredita firmemente na educação de todos os usuários quanto à segurança e proteção on-line.

mais Posts - Local na rede Internet

Me siga:

1 Comente

  1. AvatarSandraFes

    obrigado, exactly what is needed, i as well believe this is a very superb website.
    This is actually the kind of information i have been trying to find.
    Tenha um bom dia.


Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar