Next week is security week at Fresh Mango. We aim to raise awareness of the various ways in which companies and systems can be compromised.
Typically, when you think about company security, you think about the following
- Strong Passwords
But that really only covers one aspect of security and one attack surface through which your company could be targeted and hacked. We’ve provided a case study to outline the importance of cyber security.
A recent report by security experts Aamir Lakhani and Joseph Muniz illustrated the ease with which they had compromised a U.
S. government agency using a pretty face, some social engineering and some malware – they even managed to get the department to provide their fictitious working with a laptop and email account.
Lakhani and Muniz then used Emily’s Facebook and LinkedIn connections to send out Christmas cards linked to a compromised website.
Many of the government employees visited and scammed one employee into sending her a work laptop – as well as network access credentials and more.
They then went on to use the poisoned Christmas e-cards to gain administrative rights, obtain passwords, install applications and stole documents with sensitive information – some of which, according to the hackers, included information about state-sponsored attacks and country leaders.
On his blog, Joey Muniz breaks it down:
- Stage 1
The first step was creating Facebook and LinkedIn accounts. We found a non-technical female employee from the restaurant industry (that happened to be a few blocks from our target) to volunteer pictures for Emily’s appearance. We developed a fake social security number, residence and other areas that may be searched to make Emily seem real. We gave Emily an IT background from the University of Texas and updated her profile with a matching employment background.
- Stage 2
Step two was building up friends prior to networking with our target audience. We decided to pick on Joey Muniz’s friends figuring if they flagged her as fake, they wouldn’t inform anybody from our target audience. Within hours we had over 100 friends using manual adding methods. We found very little resistance to accepting her as a friend however one individual not only denied her friend request but also posted to his friends a warning about Emily without actually calling her out. Another funny story was a friend ask “Do I know you?” and by simply replying with information from his social profile, we had him say he remember her. The lesson learned is, think about what you post because it could be used against you!
- Stage 3
Once we had a decent number of friends, we updated her status as a new employee to our target with a technical engineering title. From there, we start adding potential targets starting with sales and mid-level technical staff as well as our partners with the target. We not only grew our friends from the organizations, but we also started receiving job offers, meeting requests and congratulations on the new job with our target. As our target audience friend number grew, we started moving up the rank eventually capturing people from Human Resources and Engineering who would be responsible for hiring Emily if she existed. We moved all the way up to executive leadership and are happy to say our President denied her friend request based on looking for her name is the corporate directory. We have a lot of respect for his diligence.
- Stage 4
At this point, we have networked with our target audience and have enough key members linked to perform attacks. Part 2 of this story will feature how we leveraged the social network to obtain access to the network. Consider part 2 the answer to why Robin Sage and Emily Williams are a risk for organizations. Stay tuned for part two and again for those involved, don’t worry we didn’t do anything bad to you unless we told you. Oh and thanks for helping us prove our point about the dangers of social networks.