Social Engineering’s New Poster Child: Emily Williams

Social Engineering

Social Engineering the U.S. Government

When you hear the last name “Williams” you usually think of celebrities such as Venus, Serena or even Robin. Depending on what circles you travel in, you should add Emily to that list. Emily is not a famous athlete or Hollywood Starlet. She is not even a famous inventor or entrepreneur with the next “big thing”. Emily is responsible for infiltrating a “Large U.S. Government Agency” by using Facebook and LinkedIn along with some simple social engineering tactics. Interestingly, the Agency, which remains unnamed, is quoted as being “known for its cyberspace defenses”.

The Simplification of Social Engineering

Texas-based World Wide Tech (WWT) was contracted by the United States Government last year to perform specific penetration tests within very specific departments of various agencies. {Enter Emily Williams} Two penetration testers from WWT created the fictitious “Emily” in order to launch a full scale Social Engineering attack on a specific U.S. Government Agency. The testers used the picture (with full authorization) of a waitress at a restaurant that many of the targets frequent. But none of them recognized the picture. “Emily Williams”, as she was named, was a 28-year old MIT Graduate with 10 years of experience in the Information Technology Field. Within 24 hours of setting up the false account WWT reported that Emily Williams had:

  • 60 Facebook Connections
  • 55 LinkedIn Connections with employees from the targeted agency and its contractors
  • Three Job Offers from other companies
  • Information from male staffers who offered to circumvent the normal channels for new hires

Social Engineering Forbes MagazineOver the following months, “Emily” was able to procure an agency laptop and network access. (WWT received but did not use the laptop or network access) All of this was done with no face-to-face contact or formal interview process. “Emily” also received a number of “endorsements” on LinkedIn for her skills. Approaching Christmas time of last year, the team at WWT rigged “Emily’s” profiles with a Java Applet linked to a Christmas card posting. The Applet launched an attack that used privilege escalation exploits to gain administrative rights. Similar experiments were used during Thanksgiving and New Years as well. The truly scary part about this entire attack is that the objective was met in only 1 week, though WWT continued the project for another 90 days after their initial success. One of the highlights of the breach was when the team sent a “birthday email” to the department head. The email seemingly sent by a coworker actually opened up full administrative rights to the ENTIRE NETWORK! Stop the madness!!

Security Awareness Training for Social Engineering

There is one sure-fire way to help avoid social engineering exploits such as this, in general. Security Awareness Training for all employees of all levels would have educated the workforce and raised awareness to these types of security concerns. Prior to this, though, it is also imperative to establish appropriate written security policies and procedures that are then rolled out to the staff through security training and awareness. If this had been done properly, it would have triggered a number of security ‘red flags’ and walls to get through both digitally and of the human nature. “Emily” was able to quickly and efficiently penetrate the physical network through relational social engineering. If employees were appropriately trained to carry out their day-to-day job duties according to the specific policy and procedures set forth by upper management, they may not have been so quick to post sensitive “work” information on “personal” websites. (This is what led to the Birthday Card debacle).

This example scenario repeats itself in actual cyber attacks throughout the world many times each day and is not discriminatory about market, person, race, creed or sex. This means that any organization of any size and industry, and any employee, regardless of their rank or title, may be subject to the exact same type of attack described above. We would recommend a Security Risk Assessment to identify the threats and vulnerabilities inherent in your organization to gain perspective on your organization’s overall information security risks. If you would like to “get a handle” on your company’s IT Security posture, please CONTACT US today for more information on Loricca’s world class Solutions and Services.

Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!