The Top Ten Most Famous Social Engineering Attacks
Contrary to popular belief, hacking is not all about finding loopholes in computer software that gives the attacker access to sensitive information. Vulnerabilities in human behavior and habits can be just as damaging to an organization’s security. Like the Greeks who used the Trojan Horse to get inside the walls of Troy, social engineers use human mistakes to bypass technological security measures. In this article, we describe ten of the most famous social engineering attacks of recent years.
2011: RSA SecurID
RSA’s SecurID tokens are designed to protect their users by providing two-factor authentication (2FA), making it impossible for attackers to breach their systems using only a stolen password. However, this technology only works if the 2FA technology is secure. In 2011, RSA fell prey to a famous phishing attack that compromised the security of their systems and cost the company $66 million.
The social engineering attack against RSA consisted of two different phishing emails. These emails claimed to describe the recruitment plan of another organization and contained an attached Microsoft Excel document. If an employee opened the Excel document, a zero-day Flash vulnerability was exploited and a backdoor was installed, allowing the attacker access to the system. While the exact information stolen by the attacker is unknown, it was significant enough that RSA believed it jeopardized the security of the RSA SecurID tokens, forcing the company to spend millions correcting the problem.
2013: Associated Press Twitter
The 2013 hack of the Associated Press Twitter account is notable for its immediate national impact. The attack began as a spearphishing email to Associated Press employees that appeared to come from other employees of the Associated Press. In actuality, the email came from the Syrian Electronic Army.
The email included a link to a phishing site where the employees entered login information for the Associated Press Twitter account. The only sign of the phishing email was the fact that the name of the AP staffer in the From field of the email did not match the name in the signature line.
Once the Syrian Electronic Army gained access to the Associated Press Twitter account, they posted a tweet that the White House had been bombed and that President Obama was injured in the explosion. This tweet was only live for three minutes before the news that it was a fake began to spread. However, in these three minutes, the DOW dropped 150 points—about $136 billion—before rebounding to near its former level. This simple phishing email could have a devastating effect on the US economy and, properly managed, could have made the attackers a great deal of money through short selling on the stock market.
2013: Bit9 Certificate Theft
In 2013, Bit9 fell prey to a watering hole attack. In a watering hole attack, hackers infect websites that their target is likely to visit and wait until their malware successfully infects a target computer. For example, an attacker targeting developers may attempt to infect websites like Stack Overflow, which programmers frequently visit to ask or answer programming-related questions.
As a result of the Bit9 attack, the hackers were able to steal the certificates used by Bit9 for code signing. This allowed the attackers to create malware that appeared to be legitimate software developed by Bit9. As a result, the attackers were able to target other organizations that used and trusted software signed by Bit9.
2013: Target Point of Sale
The 2013 breach of Target’s point of sale systems shows that an organization is only secure if every organization that it trusts is also secure. As a result of the 2013 breach of its point of sale systems, hackers accessed 40 million Target customers’ credit and debit card information.
The credit and debit card information was stolen using malware on Target’s point of sale systems, but the source of the breach was a social engineering attack. For some reason, Target gave remote access to its network (including its payment network, which should be kept separate), to its heating, cooling and air conditioning vendor, Fazio Mechanical Services. This vendor was targeting with a phishing email that installed the Citadel trojan malware on their machines, allowing the hacker to steal their access credentials to the Target network. Using these credentials, the attackers were able to log into Target’s network and install malware that recorded and extracted the information for every credit and debit card used at the infected machines.
2013: United States Department of Labor Watering Hole
Like Bit9, the United States Department of Labor fell prey to a watering hole attack in 2013. In order to target Department of Labor and Department of Energy employees, hackers infected web pages related to toxic nuclear substances that are regulated by the Department of Energy. Since this is not information that the casual web user would be interested in, this allowed the attackers to target employees with a background in nuclear sciences and likely a security clearance.
The actual malware used in this attack was the Poison Ivy Remote Access Trojan (RAT) delivered via a zero-day vulnerability in Internet Explorer. Nothing is known about the number of infected employees, what data may have been stolen, or even the identity of the hackers.
2014: Sony Pictures Hack
In 2014, Sony Pictures was preparing to release The Interview, a comedy about two men training to assassinate the leader of North Korea. In response, North Korea threatened terrorist attacks against theaters and hacked the computer networks belonging to Sony Pictures.
The Sony Pictures hack began as an Apple ID phishing email. Several Sony executives received emails that requested they verify their Apple credentials on a phishing page under the control of the attackers. Using the executive’s LinkedIn profiles, the attackers determined their likely login credentials for the Sony network and identified at least one executive who used the same password for both their Apple and Sony accounts. With these credentials, the hackers were able to gain access to Sony Networks, resulting in the theft of a claimed 100 terabytes of sensitive company and employee information.
2014: Yahoo Hack
While not quite of the scale of the 2013 Yahoo hack, the 2014 Yahoo hack was significant, endangering up to 500 million users. Stolen data included usernames, phone numbers, security questions and answers, password recovery emails and cryptographic values associated with each account.
The 2014 Yahoo attack used a spearphishing attack targeting “semi-privileged” Yahoo employees. One employee fell for the email, granting the attacker access to the Yahoo network and allowing them to download the Yahoo user database. Using recovery email addresses, the hackers identified targets of interest and used the cryptographic values stored in the database to generate fake Yahoo cookies. This allowed them to access the user’s account without a password, completely compromising over 6,500 Yahoo user accounts.
2015: Ubiquiti Networks BEC Attack
Ubiquiti Networks is a manufacturer of technology for high-performance networking. In 2015, Ubiquiti was the victim of a business email compromise (BEC) attack that cost the company approximately $46.7 million dollars. A BEC attack is a special form of spearphishing email in which an attacker masquerades as someone high in the organization’s hierarchy, such as the CEO. The attacker then targets an employee with the power to perform certain functions, like transferring money or accessing HR records.
In the case of Ubiquiti Networks, the attackers pretended to be executive members of the company and targeted employees in the finance department. The email requested that wire transfers be sent to certain accounts; these accounts were allegedly partners of the company, but were actually under the hacker’s control. As a result, Ubiquiti staffers transferred $46.7 million dollars into hacker-controlled accounts. Ubiquiti was able to recover $8.1 million and expected that another $6.8 million would be recoverable, meaning that the organization does not expect to recover $31.8 million of their losses.
2016: Democratic National Convention Emails
The Democratic National Convention’s email leaks may be the most famous and memorable aspect of the primary season of the 2016 United States presidential election. Over 150,000 emails stolen from twelve staffers of the Clinton campaign were leaked by a variety of sites.
In the end, the DNC hack came down to a phishing email. Russian hackers created a spearphishing email that appeared to be a legitimate email from Google warning of unusual activity on their email accounts and inviting the recipient to click on a link to change their password. This link used Bitly URL shortening to appear to be a legitimate Google link and required the targets to provide their Google credentials in order to address the potentially malicious activity. Once the attackers had the correct credentials, they had complete access to their targets’ email accounts, allowing them to download and leak thousands of emails containing information sensitive to the Clinton campaign.
2016: United States Department of Justice
In 2016, the United States Department of Justice fell for a social engineering attack that resulted in the leak of personal details of 20,000 FBI and 9,000 DHS employees. The hacker claimed that he downloaded 200 GB of sensitive government files out of a terabyte of the data to which he had access.
The attack began with the hacker gaining access to the email account of a DOJ employee through unknown means. After this, he attempted to access a web portal which required an access code that he didn’t have. Rather than give up, the attacker called the department’s number and, claiming to be a new employee, asked for help, resulting in them giving him their access code to use. With this code, he was able to access the DOJ intranet using his stolen email credentials, giving him full access to three different computers on the DOJ network as well as databases containing military emails and credit card information. He leaked internal DOJ contact information as proof of the hack, but it is unknown what else he had access to and might have stolen off of the DOJ Intranet.
While there can be an element of entertainment in reading about the poor security decisions of others (especially those at the management level), stories like these should ultimately serve as illustrative examples. The truth is that no one is exempt from social engineering attacks, and even the most savvy person can fall victim due to a moment of bad decision-making or plain fatigue. It’s important to take every online request seriously as a potential threat from someone trying to compromise your data, and to use all available tools (from phishing awareness to sophisticated email filtering systems) to tighten your defenses.