We all know by now that the most vulnerable aspect of any organization isn’t usually a weak point in the hardware or software components of an information system. It’s in the wetware, the human minds of the users of the system.
Social engineering defense definitely isn’t the sexiest aspect of network and information security, but you defend your weaknesses or you get beat. This means anyone thinking about entering the cybersecurity field today had better be prepared to educate people within the organization on protocols for defending against social engineering attacks.
Social engineering may be the oldest type of attack on information systems, too, going all the way back to the original Trojan Horse… You could even say Odysseus was the first hacker to use social engineering to circumvent security protocols.
But he sure wasn’t the last, though.
According to Computer Weekly, social engineering attacks were the most common hacking technique used in 2015. And there’s no sign of it slowing down; in 2016 60 percent of enterprises were victims of a social engineering attack of some kind. And according to EMC, phishing attacks—the easiest and most common type of social engineering attacks—resulted in nearly $6 billion in losses in 2013 alone, spread out over some 450,000 separate compromises.
Some hurt worse than others, but all resulted in a serious enough shake up for security managers to recalibrate their respect for the vector, take a long hard look at their protocols, and make educating staff a top priority.
Here’s our pick for five of the biggest social engineering attacks of all time.
2011 RSA SecurID Phishing Attack
Security firms should be the most secure targets when it comes to any type of information system attack, but they are also juicy targets that draw more than their fair share of attempts.
In 2011, one of these attacks bit encryption giant RSA and succeeded in netting hackers valuable information about the company’s SecurID two-factor authentication fobs.
Although RSA initially denied that the information could help hackers compromise anyone using SecurID, defense contractor Lockheed Martin soon detected hackers attempting to breach their network using stolen SecurID data. RSA backpedaled quickly and agreed to replace most of the distributed security tokens.
All this trouble boiled down to four employees at RSA parent corporation EMC. Attackers sent them email with a spoofed address purporting to be at a job recruitment website, with an Excel attachment titled 2011 Recruitment Plan. It wasn’t even clear why the employees would care about a spreadsheet from a third-party website, but they opened it—and a zero-day Flash exploit buried in the spreadsheet installed backdoor access to their work machines that soon laid open the keys to the kingdom.
2015 Ubiquiti Networks Scam
Not all hackers are looking for sensitive information; sometimes they just want cold, hard cash.
In 2015, Ubiquiti, a specialized manufacturer of wifi hardware and software based in San Jose, found this out the hard way when their finance department was targeted in a fraud scheme revolving around employee impersonation.
The company never revealed exactly how the attack was structured, but did say that the accounting department received email purporting to be from the company’s Hong Kong subsidiary. Often, such emails contain instructions regarding changes in payment account details or new vendors to be credited. Without verification, the accounting department simply followed the instructions.
The scheme resulted in transfers totaling almost $47 million to various overseas accounts they thought belonged to current vendors… but, in fact, the money simply filtered directly into accounts owned by the hackers.
Ubiquiti was able to recover around $8 million of those funds but most of the rest were permanently lost.
2013 Department of Labor Watering Hole Attack
Watering hole attacks are some of the broadest social engineering exploits but also some of the hardest for cybersecurity professionals to measure in terms of how much information was actually compromised.
In a watering hole attack, cyber criminals set up a website or other resource that appears to be official and legitimate and wait for victims to come to them. Unless those victims come forward, it’s hard to know who was snared.
It was particularly difficult in 2013 when a server at the U.S. Department of Labor was hacked and used to host a variety of malware and redirecting certain visitors to a site using a zero-day Internet Explorer exploit to install a remote access Trojan named Poison Ivy.
The pages that were infected were apparently carefully selected: all had something to do with toxic nuclear substances overseen by the Department of Energy. Likely targets were DoL and DOE employees with access to sensitive nuclear data.
The government, understandably, never released how many had been infected or whether sensitive data had been compromised. Perhaps the most disturbing part of the incident is the fact that the attackers were never identified. But considering the nature of the information being sought, the attack illustrates the deadly serious nature of cybsecurity.
2014 Sony Pictures Hack
It would have been funny if it hadn’t put tensions on edge between two nuclear powers.
When a group of North Korean hackers targeted Sony Pictures in a successful phishing attack in 2014, all signs pointed to an unlikely motive: The fact that the film production juggernaut was set to release The Interview, a new Seth Rogen comedy about two journalists attempting to assassinate the Supreme Leader of North Koria, Kim Jong Un.
What American audiences thought would be a quick gag was no laughing matter to the North Koreans, apparently. Since internet access in North Korea is tightly controlled, it’s all but certain that the attackers were part of a government-led effort aimed at getting the studio to pull the movie.
That’s exactly what happened, although not exactly in the way the Korean hackers might have hoped… Citing concerns over the possibility of terrorist action and the fact that some theater chains were refusing to carry the film, Sony released it online for free… essentially shooting the hostage before the Korean’s could do so.
The incident escalated to the point where the U.S. National Security Council became involved, concerned that as the incident unfolded, it could spark a war on the Korean Peninsula.
In the end, war was averted but Sony suffered substantial financial losses and had several other pictures and a considerable amount of employee data leaked online thanks to the hackers.
2013 Yahoo Customer Account Compromise
It’s easy to get inured to big numbers when you are investigating cyberattacks, but these are people we’re talking about here.
Hundreds of probes per second or thousands of accounts being compromised may be no big deal. But when you look at what happened to Internet giant Yahoo in 2013 when a semi-privileged engineer at the company made the mistake of falling for a spearphishing message that ended up in his email inbox, you need to sit down and take firm hold of your chair. With the access they gained, the hackers compromised every single customer account at the company—more than 3 billion accounts.
The data promptly went up for sale on the dark web, likely used from there to launch attacks on other targets using the personal information life from those accounts.
It may be the single largest breach of all time in terms of individual records compromised.
Naturally, Yahoo wasn’t eager for the breach to be revealed. Early reports identified a modest 500 million accounts as compromised, and it wasn’t until four years later, in October of 2017, that the true number came out.
By then, of course, it was far too late for the other affected users to protect themselves. But it’s some indication of what cybersecurity professionals are up against when relying on open-source reporting of major breaches—take it all with a grain of salt.