Pen Testers Break Into Gov't Agency With Fake Social Media ID 109
itwbennett writes "Security experts used fake Facebook and LinkedIn profiles to penetrate the defenses of an (unnamed) U.S. government agency with a high level of cybersecurity awareness. The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam. The testers built a credible online identity for a fictional woman named Emily Williams and used that identity to pose as a new hire at the targeted organization. The attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence. Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies."
Re:Since when ... (Score:5, Informative)
(and then I read the article)
Okay, the point where they then use the connections to send out xmas cards linked to an attack site which people went to, and how they somehow scammed someone into sending her a work laptop and network access credentials.
That might be better to lead with the actual attacks in the summary, and not just some sort of information gathering setup.
Re:Because they used an attractive woman. (Score:5, Informative)
The IT world article explains that the fake account was an attractive woman. The victims who exposed their organizations to attack were men who were trying to "help" this attractive woman in her new position.
Executive summary:
Fake Facebook and Linkedin accounts created for a non-existent attractive 28 year old female who was supposedly a new employee. Apparently the account sent out a lot of friend invitations which were accepted by (seemingly mostly) men who never questioned the invitation or why they had never met this person in real life. The men fell all over themselves to "help" this new employee with some even offering to bypass official channels to get her working sooner. So basically lonely nerds take a shot that friending and helping a hot new chick at work might get them something down the road. The fact that she got job offers means nothing as everybody I know who uses Linkedin (for the record I do not use it) gets job offers all the time. One more thing - they made some fake postings from her so that an internet search would seem to indicate she was a real person. And her Facebook account had a link to an external site with a Java security attack that got some suckers to click on it.
Re:Job offer is not "break into" (Score:4, Informative)
To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.
Maybe you didn't read all of the article.
[...] men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire [...]
If you read very carefully, you will see that "Emily Williams" was given access to the secure but unnamed organization's network without having to do any of those things.