Let’s talk about three social engineering attacks that caused great damage.
Diamonds, diamonds, DIAMONDS
If you’re planning on stealing USD$27.9 million worth of diamonds, then all you need is some chocolate and a smile. No, seriously.
A mystery man walked into an ABN Amro bank in Belgium back in 2007 and walked out with a large amount of diamonds and other gems weighing 120,000 carats.
The man, who is still at large, walked in through the front door at regular hours, skipped through all security measures and walked out with the loot.
“He used one weapon — and that is his charm — to gain confidence,” Philip Claes, spokesman for the Diamond High Council, said at the time. “He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.”
Associated Press Twitter hijack
Back in 2013, the Associated Press Twitter account was taken over by the Syrian Electronic Army (SEA), which posted the following tweet.
Within moments, the stock market dropped: the Dow Jones Industrial Average dropped 150 points as the tweet was retweeted, and the Standard & Poor’s 500 Index fell about 1%, briefly losing USD$136 billion in value before quickly rebounding.
The SEA was able to gain access to the Twitter account through a phishing email sent to several Associated Press employees:
From: [An AP staffer]
Hello, Please read the following article, it’s very important : http://www.washingtonpost.com/blogs/worldviews/wp/2013/04/23/
[A different AP staffer]
Clearly, a well-put-together phishing email – apart from the fact that the signature is different from the sender. All it took was one AP staffer clicking the link, which didn’t actually point to the Washington Post, but a malicious site instead.
RSA SecurID breach
Adobe Flash and vulnerabilities go hand in hand, which is unfortunate for RSA’s SecurID.
Back in 2011, RSA employees received two phishing emails, which would ultimately lead to SecurID’s two-factor authentication system being compromised – costing RSA $66 million.
RSA said in a blog post:
“The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high-profile or high-value targets. The email subject line read ‘2011 Recruitment Plan.’
“The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled ‘2011 Recruitment plan.xls.’
“The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).”
Next week, I’ll be writing about other techniques that are used in social engineering, and the stories are magnificent. Subscribe to our Daily Sentinel below to ensure you don’t miss out.