The penetration testing team controlling the fake identity didn't use the work laptop and network access they obtained and decided to launch more sophisticated social engineering attacks against employees in order to break into their computers.
Around the Christmas holiday they created a site with a Christmas card and posted the link to it on Emily's social media profiles. People who visited the site were prompted to execute a signed Java applet that opened a reverse shell back to the attack team via an SSL connection.
The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani.
Once they had a shell, the team used privilege escalation exploits to gain administrative rights and was able to sniff passwords, install other applications and steal documents with sensitive information. Some of the documents included information about state-sponsored attacks and country leaders.
Even though it wasn't part of the plan, some employees who worked for contractors to the targeted government agency also fell for the Christmas card attack, including employees from antivirus companies, Lakhani said. In one case, one of the accidental victims was a developer with access to source code, he said.
A real attacker could have compromised one of these partner companies and then attacked the government organization through them, which would have made the attack much harder to detect, Lakhani said.
At one point the attack team saw that two of the organization's employees were talking on Facebook about the birthday of the head of information security at the agency. That person had no accounts on social media websites, so the team sent him an email with a birthday card that appeared to come from one of the two people talking about the event on Facebook.
The attack worked and after he opened the malicious birthday card link, his computer was compromised.
"This guy had access to everything. He had the crown jewels in the system," Lakhani said.
The whole social media deception project involving Emily Williams lasted three months, but the penetration testing team reached its goals within one week. "After that we just kept the project going for research purposes to see how far we can go," Lakhani said.
"After we performed this successful attack we got requests from other companies that wanted to try the same thing," Lakhani said. "So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same."
"Every time we include social engineering in our penetration tests we have a hundred percent success rate," he said. "Every time we do social engineering, we get into the systems."
Sign up for CIO Asia eNewsletters.