US agency employees let invented woman expert into the network

Once again, and more spectacularly, security researchers have proved that attackers wielding a fake LinkedIn account sporting the image of an attractive woman claiming to be an expert in the cyber security business can trick even security-aware IT employees into letting their guard down.

Cyberdefense specialist Aamir Lakhani and his team from World Wide Technology have been tasked with penetrating an unnamed US government agency whose employees are supposedly highly cybersecurity-aware, and they opted to do it via fake social networking accounts under the name of “Emily Williams”.

Improving on the research done by security specialist Thomas Ryan in 2009 and 2010, who successfully duped some 300 security specialists, military personnel, and defense contractors to share personal and confidential business information with the invented cybersecurity hottie Robin Sage who contacted them via social media accounts, Lakhani and his team went deeper (or higher, as it were).

Robin Sage’s fake nature was recognised by quite a few of the targets, as her claims of graduating from MIT and working 10 years in cyber security (despite being only 25 years old) were dismissed as improbable and could not be unverified via online records or the MIT alumni network.

Lakhani, whose “Emily Williams” also claimed to be an MIT graduate, tried to solve that problem by putting information about her on different websites, posting in her name on MIT forums, and so on.

Emily Williams weaselled her way into the target agency by claiming on LinkedIn and Facebook that she had been hired by it. According to a report by Lucian Constantin, it took her only 15 hours to get over 55 Facebook connections and LinkedIn connections with employees from the targeted organisation and its contractors. She also garnered three job offers in the first 24 hours she was present on those social networks.

As time passed, male employees offered to help her with getting a work laptop and access to the agency’s network faster (the researchers received but used neither). After setting up a booby-trapped site with a Christmas card and posting the link to it to her social media accounts, many agency employees visited the site and were tricked into allowing a reverse shell to be opened into their computers, which let the researchers into their computers and the agency’s network, where they sniffed passwords, stole documents, and so on.

They even managed to compromise the system of the head of information security at the agency – despite him not having social media accounts. They did that by discovering that the person in question had a birthday coming up and sending him an electronic birthday card with a malicious link via email.

The worst part is that this experiment lasted for three months even though the researchers managed to do all this in just a week – meaning that the attack or Emily’s true nature weren’t discovered for that long.

Lakhani says that this type of penetration testing attack was replicated for other companies in the financial and healthcare industries, and the results were practically the same.

“Every time we include social engineering in our penetration tests we have a hundred percent success rate,” he said, and that’s something that should worry everybody.

The difficulties in solving this problem are many.

For one, people are (too) trusting and willing to help others, says Lakhani. Secondly, people low in the company or agency hierarchy don’t expect to be targeted because they don’t consider their position important enough, and are not aware that most attackers usually start their incursions by specifically targeting these “lowly” employees.

Finally, the (mostly) male workforce of the IT industry is clearly less circumspect when it comes to helping an attractive woman – the same experiment made through a male social media profile was not successful.

Lakhani also pointed out that for social engineering attacks to be spotted by employees, security awareness trainings have to be executed often enough to make them develop an instinct for it.

Other things that organisations can do to protect their employees and their network from this type of attacks is to create an effective reporting system for these attacks – one that will let other employees know that an attack is ongoing and what form it takes – as well as segmenting their network and limiting employees’ access to data.

Employees, on the other hand, should refrain from sharing work-related information on social networks and from using work devices for personal activities, shared Lakhani at RSA Conference Europe 2013 held last week in Amsterdam.