30 May 2015

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

592Posts 1,489,989Views 60Comments

IT guys get duped pretty girl on social media

13 January 2014  |  2141 views  |  0

Defenses of a U.S. government agency were duped by an experimental scam created by security experts.

 

The “scam” involved Emily Williams, a fictitious attractive woman with a credible online identity (including a real photo that was allowed by a real woman), posing as a new hire at the targeted agency.

Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 for Facebook, with the targeted agency’s employees and contractors. Job offers came, along with offers from men at the agency to assist her with her new job.

Around Christmas time the security experts placed a link on Emily’s social media profiles linking to a Christmas card site they created.

Visitations to this site led to a chain of events culminating in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.

The experimenters got what they sought within one week. The penetration scam was then done on credit card companies, banks and healthcare organizations with very similar results.

An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.

Recap: The scam began from the ground up, inflating Emily’s social network till it enabled the attack team to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.

Preventing getting suckered into Social Media Scams

  • For agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not the typical annually.
  • Suspicious behavior should always be questioned.
  • Suspicious behavior should be reported to the human relations department instead of shared on social networks.
  • Work devices should not be used for personal activities.
  • Access to various types of data should be protected with separate and strong passwords.
  • The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
  • Learn from this. Reverse engineer this same scenario in your own life or organization to see how this might happen to you.

 

 

Blog updated: 29 May 2015 18:32:30
TagsSecurity

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Robert

Trusting too much brings Trouble

26 May 2015  |  649 views  |  0  |  Recommends 0 TagsSecurity

3 More Ways Criminals use influence to steal

23 May 2015  |  1237 views  |  0  |  Recommends 0 TagsSecurity

3 Ways Criminals influence to steal

22 May 2015  |  975 views  |  0  |  Recommends 0 TagsSecurity

Tax Return Basics: What You must know!

16 May 2015  |  2670 views  |  0  |  Recommends 0 TagsSecurity

Time to check your Facebook Privacy settings

14 May 2015  |  2732 views  |  0  |  Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Who's commenting on Robert's posts

Ketharaman Swaminathan
Bjorn Soland
Prasenjit Das
John Serocold
Charmaine Oak
Iain Montgomery
Otmane EL RHAZI
Boris Taratine
Michael Rosenstein
Fred Pyziak
Matt Scott