I first heard of the story, “Fake femme fatale dupes IT guys at U.S. government agency,” via a friend on Facebook who, when adding the link, stated, “My jaw dropped when I read this.”
My jaw didn’t drop, but I did find myself shaking my head. What it showed me is just how easily IT security professionals—or at least professionals who should be security savvy—can be duped. And if these folks are being fooled, how little does it take for an employee with very little online security background to be conned by social engineering?
The story tells how hackers created a fake profile for a beautiful woman (the woman was real; apparently she was a waitress at a restaurant near the government agency where this breach happened). The hackers used this fake profile on social media outlets to infiltrate into employee networks. You know how social networks expand—it appeared no one questioned the many red flags in this fake profile—and the levels that she reached increased until… boom… the network was infected.
This was not some random hacking event, however. According to Help Net Security:
Cyberdefense specialist Aamir Lakhani and his team from World Wide Technology have been tasked with penetrating an unnamed U.S. government agency whose employees are supposedly highly cybersecurity-aware, and they opted to do it via fake social networking accounts under the name of “Emily Williams.”
One interesting and important side note to this story is that when the hackers tried to create a fake male profile, no connections were made. The suspected reason for this sounds sexist, but the targeted group, a male-dominant IT department, was willing to “friend” the beautiful woman, but not the male. The test showed that people are too trusting, and they think that if they are at the bottom of the company totem pole, they aren’t targets, as the Help Net Security article stated:
For one, people low in the company or agency hierarchy don’t expect to be targeted because they don’t consider their position important enough, and are not aware that most attackers usually start their incursions by specifically targeting these ‘lowly’ employees.
That attitude goes hand-in-hand with the attitude of SMBs who think that a small business isn’t as attractive a target as a large, wealthy corporation. The bottom line is, hackers will attack where they think they have the best shot of gathering the data they are looking for.
This hacking event shows just how smart the bad guys can be and just how easy it is to trick just about anyone. When it comes to cybersecurity, you can’t let down your guard for one second—not even for a pretty face.