By James Nye
PUBLISHED: 00:44 EST, 4 November 2013 | UPDATED: 08:03 EST, 4 November 2013
Two hackers staged a successful cyber-attack on an unidentified U.S. government agency simply by setting up fake LinkedIn and Facebook accounts posing as an attractive and smart young lady.
Creating social media profiles for a pretty 28-year-old girl named Emily Williams, the two online security experts even managed to con government employees out of a laptop and their highly classified network credentials.
The researchers even managed to persuade staff at the agency, which is known for its cyberspace defenses, to click on a corrupted e-card that obtained passwords, sensitive documents which according to the hackers included information on state-sponsored attacks and individual country leaders.
The pre-Edward Snowden attack was officially sanctioned as a test within the U.S. and security experts and carried out by Texan firm, World Wide Technology employees Aamir Lakhani and Joseph Muniz last year.
Explaining their findings to an audience at a tech-conference RSA Europe 2013 on Wednesday, October 30, Lakhani said of the compromised e-card clicker, ‘This guy had access to everything. He had the crown jewels in the system.’
Lakhani who works as a solutions architect at World Wide Technology refused to reveal which agency was infiltrated but said that the attack began last year and was conducted against a firm which specializes in cybersecurity and protecting national secrets.
The test began with the creation of 28-year-old Emily Williams, a fictitious MIT graduate with 10-years IT experience, complete with a fully functional fake social media profile.
For this Lakhani sought and gained the permission of a local waitress who worked as a waitress at a Hooters near to the targeted agency’s officers – however, no one during the three month test seemed to recognize her according to ZDnet.
Bolstering her fake profile, the team created fake profiles on other websites and forums, posting on MIT using her name.
Launching the profile of Emily Williams, Lakhani discovered that within the first 15 hours, Williams had made 60 Facebook connections and 55 LinkedIn connections with employees from the targeted agency and its sub-contractors.
Incredibly she had three jobs offers from three companies within 24 hours of her online presence being launched.
The experiment was created to exploit a fundamental problem with online security – mainly that people are trusting and also attractive women experience preferential treatment in the male-dominated IT industry.
This was born out through the fact that a similar test using a fake male persona made zero connections.
More worrying for governmental online security is the fact that Lakhani revealed that the team had achieved their objective of infiltrating the agency within one week, but carried on for a further 90 days.
Lakhani and Muniz carefully curated the fake identity of Williams netting hundreds of connections.
When one slightly suspicious man asked ‘Emily’ how they knew him, the researchers replied with information they got from his own profile – prompting the man to reply that he did remember her.
Once she had made connections in the agency’s Human Resources, IT Support and with executives, Lakhani and Muniz simply updated her profile to just-hired.
And then for the hacker’s biggest deception that seriously compromised security.
Sending seasonal cards to specific Facebook friends of ‘Emily’s’, the hackers waited for the recipients to click, accessing their computers most classified details through progreams such as Browser Exploitation Framework (BeFF).
Their deception went further: ‘Once we hooked the target, we would look for passwords and insider information to gain access to the target agency,’ said Lakhani.
‘We launched three campaigns targeting systems during Thanksgiving, Christmas and New Years.
‘We were able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise our target.’
Lakhani and Muniz may have angered some government employees, but the pair enjoyed such success they now have requests from other companies and organizations to try the same test.
In the RSA talk last week Lakhani said, ‘So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same.
‘Every time we include social engineering in our penetration tests we have a hundred percent success rate.’
Read more: http://www.dailymail.co.uk/news/article-2486975/How-fake-Femme-fatale-created-hackers-carried-cyber-attack-high-level-U-S-government-agency.html#ixzz2jhIH145F Follow us: @MailOnline on Twitter | DailyMail on Facebook