Os pesquisadores de segurança Aamir Lakhani e Joseph Muniz demonstraram como é fácil preparar um ataque de hack em uma determinada empresa. Os pesquisadores ilustraram as principais questões quando se trata de empresas maiores e sua segurança. They report that the unlike the typical focus on security which lies within strong password policies and good protection software and hardware.
Using nothing but one or two photos, some clever social engineering, e malware, the hackers were able to compromise a U.S. government agency’s security.
The hackers have successfully used a fake Facebook and LinkedIn profiles to send out malware concealed within various Christmas cards. This malware was uploaded to a malicious website that caused the infection when the Christmas card was opened.
Using social engineering, funnily enough, the hackers were able to convince an employee to even send a working laptop along with it’s passwords and usernames to the fake employee.
But this was just one aspect of the hack. The hackers managed to get away with passwords, stolen documents, and other important information. Not only this but the hackers also gained full “read and write” permissions on some devices, allowing them to instalar outros tipos de malware on the computers as well, como ransomware, por exemplo.
How Muniz and Lakhani Pulled It Off
o primeira etapa of the hackers operation was the preparation stage. Iniciar, they have designated pictures of a female employee named Emily, of another organization, who is not exactly tech savvy and worked in a restaurant not far from the agency’s facility. Then the hackers were able to create a fake identity by creating:
- Fraudulent social security number.
- Place of residence.
- Fake University degree that makes her an IT specialist from Texas UC.
- Fake information on working previous jobs in the field.
- Fake phone and other data that may develop Emily into a fake identity.
o segundo estágio of the hackers was to build up the fake identity. They have started adding friends of the fake identity that have nothing to do with the woman on the picture to minimize the risk of someone recognizing the profile as fake and reporting it.
Surprisingly enough, several hours later the hackers managed to gather several hundred friends in the profile by simply adding them. The hackers managed even to persuade one of the people who added the fake profile to know the person from it by using information from the victim’s profile.
Then the cyber-criminals updated the status of the person as a new employee in the government agency. Então, they begun to add people who are working in the agency and they added employees from different departments like HR, technical departments and others.
As soon as the hackers have built up some audience, they have created the perfect opportunity to make their attack. De lá, they used malware and targeted the employees via social engineering to cause a successful infection.
What Can Be Learned from This
The biggest risk In organizations is the human factor so it is very important always to know what information you have released publicly to others since this information may turn to be your weakness, just like the hackers did with Emily’s fake profile. It is also very important to raise awareness and educate everyone in a given organization to be extra cautious and always asses the risk in situations where they do not feel confident.