A Lesson in Social Engineering: How a “Security-aware” Organization Was Completely Duped

Linda Musthaler
By | November 05, 2013

Posted in: Network Security Trends

There is a must-read article published IDG News Service and posted to Network World. (See Fake social media ID duped security-aware IT guys.) This is the story of how security experts conducting penetration tests of an unnamed European organization used a very convincing but very fake social media persona to infiltrate the targeted organization. Not just any organization, mind you, but one that “specializes in offensive cybersecurity and protecting secrets,” according to the article.

The pen testers created a persona that they called Emily Williams. They gave her a profile of being 28 years old and a graduate of MIT with 10 years of work experience. They set her up with Facebook and LinkedIn accounts and posted to MIT university forums using her name. In short, they made her seem as real as possible, with a background that would naturally attract the attention of people within the targeted organization.

Within the first 15 hours of Emily’s unreal existence, she had 60 Facebook connections and 55 LinkedIn connections with employees and contractors from the targeted organization. Within 24 hours she even had job offers. On LinkedIn, people endorsed her skills and this garnered further attention.

Being the sociable gal that she appeared to be, Emily created a digital Christmas card that she distributed via her social media profiles. The card contained a payload that gave the pen testers access to the machines of the people who opened Emily’s online greeting card. Once inside the network, the testers were able to gain administrative rights, steal passwords and documents, and install applications at will. The testers even came across a developer’s source code. And, they duped the head of information security at the firm with fake birthday greetings that compromised his machine as well.

In the end, the testers were able to reach their goal of cracking this security-aware organization’s network in just a week, but they did probe around for a couple of months to see what else they could get to. It seems they pretty much had the keys to the kingdom.

The whole scenario is a stunning lesson on social engineering and trust. No matter how security-aware we profess to be, we still want to trust people when they tell us who they are—or at least who they appear to be. It’s also a reminder that technology alone isn’t going to keep attacks at bay. The people behind Emily – who could very easily have been cyber thieves or corporate spies instead of authorized penetration testers – were essentially brought through the front door by unsuspecting people who wanted to be her friend or associate, even though they only knew her through a digital existence.

You May Also Be Interested In: