Security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a U.S. government agency with a high level of cybersecurity awareness, as part of an exercise that shows how effective social engineering attacks can be, even against technically sophisticated organizations.
The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam by Aamir Lakhani, a counter-intelligence and cyberdefense specialist who works as a solutions architect at IT services provider World Wide Technology.
By building a credible online identity for a fake attractive female named Emily Williams and using that identity to pose as a new hire at the targeted organization, the attackers managed to launch sophisticated attacks against the agency's employees, including an IT security manager who didn't even have a social media presence.
The agency's name was not revealed, but Lakhani said it was a very secure one that specializes in offensive cybersecurity and protecting secrets and for which they had to use zero-day attacks in previous tests in order to bypass its strong defenses.
The penetration testing team claimed Emily Williams was a 28-year-old MIT graduate with 10 years experience and set up her identity with as much real information as possible. For the fake social media profiles they even used the picture of a real woman -- with her approval -- who works as a waitress at a restaurant used by many of the targeted organization's employees. However, no one recognized her.
The team also set up information about her on other websites so people would be able to match the information on her social media profiles with information obtained through Google searches, Lakhani said. For example, since they claimed she was an MIT graduate, they posted on some university forums using her name.
The test was inspired by a similar 2010 experiment by security specialist Thomas Ryan, who created a fake online identity for a female cyberthreat analyst named Robin Sage and was able to befriend about 300 security professionals, military personnel and staff at intelligence agencies and defense contractors on social media websites.
However, Lakhani and his colleagues wanted to see how far they could take such a social media deception and what they could achieve through it.
Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies.
As time went on she started receiving LinkedIn endorsements for skills and men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire, Lakhani said.
Sign up for CIO Asia eNewsletters.