This week at a Big 4 Bank there was a presentation on Cyber Security. The presenter who was an ethical hacker started by saying that he would introduce himself and he rarely does that. In the spirit of that I will leave him unnamed.
Let’s call him Bob. Bob talked about his experiences in collecting 18 flags at DEFCON at Las Vegas a few years ago. This is the largest event for hackers in the world.
Just for background on DEFCON, there was an article just two days ago that talked about how DEFCON hackers were able to crack a new physical Brinks safe in 60 seconds.
These guys are seriously good……
I don’t use any Social Media
Bob started by saying this, which brought some grasps from the audience. He then went on to say that he does have a few hundred social media accounts that use aliases.
So much for the concept of Real Names, which I note is getting challenge from some countries like Germany on Facebook recently.
For the DEFCON event Bob had a challenge to penetrate this large multinational soft drink name and collect a series of information.
But first Bob, spent a few weeks setting up and doing reconnaissance. This included setting up a fake Linkedin account as IT Analyst for this organisation.
On assuming this alias on Linkedin, Bob was able to gain access to other persons in that organisation. He noted that a CFO, that he connected with on Linkedin also suggested that as his PC was not working could he fix this?
You can see, how amazingly easy it would be for a hacker to use social media engineering to gain access.
Just observe and listen
Bob was able to learn that there is a favorite pub that was near the headquarters and it was easy to just learn information from being there. One snippert that he learnt was that there was a KPMG audit that was just completed.
These small pieces of information provide Bob with the material that can enable the deception.
Bob, then called the Helpdesk.
Hello this is Fred, What’s your Employee Number?
Fred, how’s your day? Fred mentioned that actually it’s not that great as I’ve had an argument with my partner. Bob added after the chatter that he would be happy to be a sounding board as he had really screwed up himself over the years.
Once warmed up, Bob went on…..look I’ve been asked by Tony to followup on the KPMG Audit. Tony used to be the Manager in this area and Bob had researched him on Facebook and noted that he had a new baby and a really cute puppy.
On mentioning the Baby and the Puppy, Bob could sense that the trust was increasing. So could you help me out with a few questions??
Bob’s goal was to collect 18 pieces of information about this organisation. This included:
- What company is used for File archives? - What days are pay day? - Is there wireless on site? - What about the caferia?
The trick was that Bob, was careful to listen to Fred’s voice for any pauses and sense if there was any reluctance on the other end of the line. Bob noticed that Fred may be getting suspicious and added. “Hey I’m going to be in town next week, can I buy you a beer at the pub?”
That was the clincher as Bob had researched the types of craft beers and in mentioning his favorites, there was a rewarming of the conversation.
A little scary
The question is what’s stopping this happening at your organisation? Does your team realise how Social Media Engineering attacks happen??
I know that most Help Desk staff tend to be younger and usually active on Social Media. Thus this formula would work in most enterprises.
Yes, you should be concerned and perhaps a mock social media engineering attack is in order. There are Bob’s out there that can help you.