Security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a U.S. government agency with a high level of cybersecurity awareness, as part of an exercise that shows how effective social engineering attacks can be, even against technically sophisticated organizations.
The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam by Aamir Lakhani, a counter-intelligence and cyberdefense specialist who works as a solutions architect at IT services provider World Wide Technology.
By building a credible online identity for a fake attractive female named Emily Williams and using that identity to pose as a new hire at the targeted organization, the attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence.
The agency's name was not revealed, but Lakhani said it was a very secure one that specializes in offensive cybersecurity and protecting secrets and for which they had to use zero-day attacks in previous tests in order to bypass its strong defenses.
The penetration testing team claimed Emily Williams was a 28-year-old MIT graduate with 10 years experience and set up her identity with as much real information as possible. For the fake social media profiles they even used the picture of a real woman -- with her approval -- who works as a waitress at a restaurant used by many of the targeted organization's employees. However, no one recognized her.
The team also set up information about her on other websites so people would be able to match the information on her social media profiles with information obtained through Google searches, Lakhani said. For example, since they claimed she was an MIT graduate, they posted on some university forums using her name.
The test was inspired by a similar 2010 experiment by security specialist Thomas Ryan, who created a fake online identity for a female cyberthreat analyst named Robin Sage and was able to befriend about 300 security professionals, military personnel and staff at intelligence agencies and defense contractors on social media websites.
However, Lakhani and his colleagues wanted to see how far they could take such a social media deception and what they could achieve through it.
Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies.
As time went on she started receiving LinkedIn endorsements for skills and men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire, Lakhani said.
The penetration testing team controlling the fake identity didn't use the work laptop and network access they obtained and decided to launch more sophisticated social engineering attacks against employees in order to break into their computers.
Around the Christmas holiday they created a site with a Christmas card and posted the link to it on Emily's social media profiles. People who visited the site were prompted to execute a signed Java applet that opened a reverse shell back to the attack team via an SSL connection.
The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani.
Once they had a shell, the team used privilege escalation exploits to gain administrative rights and was able to sniff passwords, install other applications and steal documents with sensitive information. Some of the documents included information about state-sponsored attacks and country leaders.
Even though it wasn't part of the plan, some employees who worked for contractors to the targeted government agency also fell for the Christmas card attack, including employees from antivirus companies, Lakhani said. In one case, one of the accidental victims was a developer with access to source code, he said.
A real attacker could have compromised one of these partner companies and then attacked the government organization through them, which would have made the attack much harder to detect, Lakhani said.
At one point the attack team saw that two of the organization's employees were talking on Facebook about the birthday of the head of information security at the agency. That person had no accounts on social media websites, so the team sent him an email with a birthday card that appeared to come from one of the two people talking about the event on Facebook.
The attack worked and after he opened the malicious birthday card link, his computer was compromised.
"This guy had access to everything. He had the crown jewels in the system," Lakhani said.
The whole social media deception project involving Emily Williams lasted three months, but the penetration testing team reached its goals within one week. "After that we just kept the project going for research purposes to see how far we can go," Lakhani said.
"After we performed this successful attack we got requests from other companies that wanted to try the same thing," Lakhani said. "So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same."
"Every time we include social engineering in our penetration tests we have a hundred percent success rate," he said. "Every time we do social engineering, we get into the systems."
According to Lakhani, the fundamental problem is that people are trusting and willing to help others. Many also don't think it could happen to them because they don't have an important enough position within an organization, but they don't realize how their actions could help an attacker gain credibility.
The Emily Williams attack started by targeting low-level employees like sales and accounting staff, but as the social network around her grew, the attack team was able to target more technical people, security people and even executives.
The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.
According to Lakhani, social engineering awareness training can help, but it's not going to work if it's done on an annual basis. It needs to be constant training, so that employees develop instincts. In fact, the organization targeted in this attack was doing security awareness training for their employees.
"In the military it's called situational awareness," Lakhani said. "We need to develop situational awareness for this type of attack."
Other recommendations that Lakhani made during the talk include: questioning suspicious behavior and reporting it to the human relations department, not sharing work-related details on social networks, not using work devices for personal activities, protecting access to different types of data with strong and separate passwords, and segmenting the network so that if attackers compromise an employee with access to one network segment they can't access more sensitive ones.
