Support 100 years of independent journalism.

15 November 2013

Hacking is easy if you lure security contractors with fake flirting

Two hackers have shown how easy it is to get around sophisticated security systems by going for the weak point - human nature.

By Ian Steadman

There are many ways to approach breaking into a computer network at a government or corporation to grab some sensitive information. One of those is, arguably, easier than the others, and more effective, and requires little in the way of technical skills. It’s pretending to be an attractive woman and flirting with the right people.

Seduction has been used for espionage for years. In the Cold War, so-called ‘honeypots’ were a crude but effective way of trapping foreign agents in compromising situations and using as a way to blackmail them for information. The human capacity to let our genitals override our heads is never worth underestimating.

Aamir Lakhani and Joseph Muniz created a fake female profile on Facebook and LinkedIn, established their credentials – things like fake job histories, making friends, soliciting endorsements, and messaging people in character – and found it was remarkably easy to get people to trust them with confidential information.

Their fake woman, “Emily Williams”, was created in 2011 with the specific aim of hacking into a specific government agency. “She” had graduated from the University of Texas, and had a profile picture voluntarily given by a waitress at a branch of Hooters a few blocks down the street from the target building. ZDNet has the story:

Before zeroing in on the government target’s employees, Lakhani and Muniz built up Miss Williams’ presence on social media, netting her hundreds of connections, with only one man flagging her as suspicious.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s global affairs newsletter, every Monday and Friday. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A weekly dig into the New Statesman’s archive of over 100 years of stellar and influential journalism, sent each Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

Another man asked how Emily might know him, and when the researchers answered with information they obtained in the man’s profile, he said he did indeed remember the imaginary girl.

Once Wiliams had friends, the hackers updated her Facebook and LinkedIn profiles with just-hired status at the government target, and gave her an engineering title. The attractive, imaginary young woman connected with the target’s employees via social media and connected with Human Resources, IT Support, Engineering and those in executive leadership roles.

The congratulations for “her” new job rolled in.

The so-called “penetration test” was meant to take 90 days, but it only took a week for Emily Williams to be accepted as real by colleagues who had never even met her. Then, the fun began.

“Emily” sent e-cards to colleagues near Christmas, containing a link that downloaded malware onto their computers that let the hackers figure out peoples’ passwords. Male employees, convinced that they were flirting with a real woman, circumvented normal channels to give “her” access to the internal work network, and one man even sent “her” a company laptop. Lakhani and Muniz, presenting their work at RSA Europe 2013 last month, claim they managed to access documents that were above the clearance level for an entry-level employee like Emily Williams quite easily.

The two hackers were influenced by Robin Sage, an infamous fake profile created by security specialist Thomas Ryan in 2009. After creating social media profiles for Robin – an attractive, young woman with unusually impressive IT security experience – and messaging around 300 technology and military firms, “she” was offered consulting jobs and dates by some who failed to verify her identity.

In these cases it’s clear that the security protocols and encryption methods used by these firms – firms that have some very sophisticated tools to try and fed off cyber-attack – are absolutely useless once unreliable, emotional humans get involved. Security is only as good as the weakest link, but there’s quite a fundamental problem if that weakest link is human nature.