Using social media profiles and a photo of a real (and consenting) woman, two hackers fooled a government employer into believing she was an employee, conning them out of a company laptop, network credentials, and more.
They used “her” Facebook and LinkedIn connections to send out holiday cards linked to an attack site, which the government employees visited, and scammed one employee into sending her a work laptop – as well as network access credentials and more, such as SalesForce logins.
The researchers used the imaginary pretty girl’s poisoned holiday e-cards to gain administrative rights, obtain passwords, install applications and stole documents with sensitive information – some of which, according to the hackers, included information about state-sponsored attacks and country leaders.
Lakhani told an audience at RSA Europe 2013 on Wednesday, October 30, ”This guy had access to everything. He had the crown jewels in the system.”
Mr. Lakhani presented the team’s research findings at RSA Europe in a talk titled Social Media Deception, the results of his team’s sanctioned 90-day “Emily Williams” penetration test experiment on a US government agency, conducted at the end of 2012.
Lakhani declined to state which U.S. government agency was infiltrated and compromised by the fictitious Miss Williams. He told the RSA audience that his team’s pre-Snowden attack was performed on a very secure agency that specializes in offensive cybersecurity and protecting secrets, one where previously only zero-day attacks had been successful in pentests leveraged against the unnamed agency.
And what did it take to crack this “very secure agency that specializes in offensive cybersecurtiy?” This woman: