Social engineering tricks U.S. security agency into baring all

There have been weekly reports of the alleged omnipotence of U. S. intelligence agencies, giving to the impression they are on the leading edge of offensive IT security.

Apparently, however, at least one of those agencies doesn’t know how to play defence. According to a presentation this week at the RSA European security conference, the agency fell for one of the oldest tricks, a person pretending online to be an employee.

Also known as a social engineering attack, it was an authorized test of the unnamed agency’s ability to protect itself. It failed utterly.  After getting inside the firewall  hackers were able to launch sophisticated attacks.

How’d they do it? The hackers used phony Facebook and LinkedIn profiles to build an online identity for a woman named “Emily” who said she was a new hire at the agency. Then other employees began connecting to her pages.

(Here’s a neat touch – for a photo they used a picture of a waitress at a restaurant used by many of the agency’s staff. No one recognized her.)

Soon helpful staff sent her a work laptop and network access. Normally that would have been a freeway into the agency. However, the hackers had a better idea: They created a Web site with a Christmas card and posted a link to it on Emily’s social media pages. Any agency staffer that clicked on the link executed a signed Java applet that opened a reverse shell back to the hackers, and eventually they gained administrative rights.

The ultimate prize was won by accessing the PC of head of information security, who must have felt invulnerable to these types of attacks because he didn’t have any social media subscriptions. So the hackers sent him an email with a link birthday card that appeared to come from a staffer he knew. He took the bait.

Aside from demonstrating what real penetration testing teams do, the story also shows how social engineering gets people suckered into risky behavior. A person online says they’re an employee of a large organization – who’d doubt that?  Especially if those following her online are real colleagues. You do have a birthday this week – why wouldn’t you click on a link to a birthday card from someone who you apparently know?

The lesson: Warn staff about proper security behavior regularly. Even IT pros can be fooled.

To read the full story click here

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web