Fake social media ID duped security-aware IT guys

Penetration testers used a faked woman's identity on social networks to break into a government agency with strong cybersecurity defenses

Security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a U.S. government agency with a high level of cybersecurity awareness, as part of an exercise that shows how effective social engineering attacks can be, even against technically sophisticated organizations.

The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam by Aamir Lakhani, a counter-intelligence and cyberdefense specialist who works as a solutions architect at IT services provider World Wide Technology.

By building a credible online identity for a fake attractive female named Emily Williams and using that identity to pose as a new hire at the targeted organization, the attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence.

The agency's name was not revealed, but Lakhani said it was a very secure one that specializes in offensive cybersecurity and protecting secrets and for which they had to use zero-day attacks in previous tests in order to bypass its strong defenses.

The penetration testing team claimed Emily Williams was a 28-year-old MIT graduate with 10 years experience and set up her identity with as much real information as possible. For the fake social media profiles they even used the picture of a real woman -- with her approval -- who works as a waitress at a restaurant used by many of the targeted organization's employees. However, no one recognized her.

The team also set up information about her on other websites so people would be able to match the information on her social media profiles with information obtained through Google searches, Lakhani said. For example, since they claimed she was an MIT graduate, they posted on some university forums using her name.

The test was inspired by a similar 2010 experiment by security specialist Thomas Ryan, who created a fake online identity for a female cyberthreat analyst named Robin Sage and was able to befriend about 300 security professionals, military personnel and staff at intelligence agencies and defense contractors on social media websites.

However, Lakhani and his colleagues wanted to see how far they could take such a social media deception and what they could achieve through it.

Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies.

As time went on she started receiving LinkedIn endorsements for skills and men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire, Lakhani said.

The penetration testing team controlling the fake identity didn't use the work laptop and network access they obtained and decided to launch more sophisticated social engineering attacks against employees in order to break into their computers.

Around the Christmas holiday they created a site with a Christmas card and posted the link to it on Emily's social media profiles. People who visited the site were prompted to execute a signed Java applet that opened a reverse shell back to the attack team via an SSL connection.

The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani.

Once they had a shell, the team used privilege escalation exploits to gain administrative rights and was able to sniff passwords, install other applications and steal documents with sensitive information. Some of the documents included information about state-sponsored attacks and country leaders.

Even though it wasn't part of the plan, some employees who worked for contractors to the targeted government agency also fell for the Christmas card attack, including employees from antivirus companies, Lakhani said. In one case, one of the accidental victims was a developer with access to source code, he said.

A real attacker could have compromised one of these partner companies and then attacked the government organization through them, which would have made the attack much harder to detect, Lakhani said.

At one point the attack team saw that two of the organization's employees were talking on Facebook about the birthday of the head of information security at the agency. That person had no accounts on social media websites, so the team sent him an email with a birthday card that appeared to come from one of the two people talking about the event on Facebook.

The attack worked and after he opened the malicious birthday card link, his computer was compromised.

"This guy had access to everything. He had the crown jewels in the system," Lakhani said.

The whole social media deception project involving Emily Williams lasted three months, but the penetration testing team reached its goals within one week. "After that we just kept the project going for research purposes to see how far we can go," Lakhani said.

"After we performed this successful attack we got requests from other companies that wanted to try the same thing," Lakhani said. "So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same."

"Every time we include social engineering in our penetration tests we have a hundred percent success rate," he said. "Every time we do social engineering, we get into the systems."

According to Lakhani, the fundamental problem is that people are trusting and willing to help others. Many also don't think it could happen to them because they don't have an important enough position within an organization, but they don't realize how their actions could help an attacker gain credibility.

The Emily Williams attack started by targeting low-level employees like sales and accounting staff, but as the social network around her grew, the attack team was able to target more technical people, security people and even executives.

The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.

According to Lakhani, social engineering awareness training can help, but it's not going to work if it's done on an annual basis. It needs to be constant training, so that employees develop instincts. In fact, the organization targeted in this attack was doing security awareness training for their employees.

"In the military it's called situational awareness," Lakhani said. "We need to develop situational awareness for this type of attack."

Other recommendations that Lakhani made during the talk include: questioning suspicious behavior and reporting it to the human relations department, not sharing work-related details on social networks, not using work devices for personal activities, protecting access to different types of data with strong and separate passwords, and segmenting the network so that if attackers compromise an employee with access to one network segment they can't access more sensitive ones.

Join the CSO newsletter!

Error: Please check your email address.

Tags World Wide Technologyonline safetysecuritydata breachAccess control and authenticationscamsspywaredata protectionrsaintrusion

More about FacebookGoogleMITRSASageTechnologyWorld Wide Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place