Menu Close

How ‘high-level U.S. government agency’ fell for fake femme fatale created by two hackers

By  James Nye

PUBLISHED: 00:44 EST, 4  November 2013 |  UPDATED: 08:03 EST, 4 November 2013

Two hackers staged a successful cyber-attack  on an unidentified U.S. government agency simply by setting up fake LinkedIn and  Facebook accounts posing as an attractive and smart young lady.

Creating social media profiles for a pretty  28-year-old girl named Emily Williams, the two online security experts even  managed to con government employees out of a laptop and their highly classified  network credentials.

The researchers even managed to persuade  staff at the agency, which is known for its cyberspace defenses, to click on a  corrupted e-card that obtained passwords, sensitive documents which according to  the hackers included information on state-sponsored attacks and individual  country leaders.

Duped: This photograph of Emily Williams is blurred to protect the identity of the real woman who worked in a restaurant near to the U.S. government agency who was instrumental to convincing staff to reveal classified information
Duped: This photograph of Emily Williams is blurred to  protect the identity of the real woman who worked in a restaurant near to the  U.S. government agency who was instrumental to convincing staff to reveal  classified information

The pre-Edward Snowden attack was officially  sanctioned as a test within the U.S. and security experts and carried out by  Texan firm, World Wide Technology employees Aamir Lakhani and Joseph Muniz last  year.

Explaining their findings to an audience at a  tech-conference  RSA Europe 2013 on Wednesday, October 30, Lakhani said of  the compromised e-card clicker, ‘This guy had access to everything. He had the  crown jewels in the system.’

Lakhani who works as a solutions architect at  World Wide Technology refused to reveal which agency was infiltrated but said  that the attack began last year and was conducted against a firm which  specializes in cybersecurity  and protecting national secrets.

The test began with the creation of  28-year-old Emily Williams, a fictitious MIT graduate with 10-years IT  experience, complete with a fully functional fake social media  profile.

For this Lakhani sought and gained the  permission of a local waitress who worked as a waitress at a Hooters near to the  targeted agency’s officers – however, no one during the three month test seemed  to recognize her according to ZDnet.

Bolstering her fake profile, the team created  fake profiles on other websites and forums, posting on MIT using her  name.

Convincing: This exchange shows how 'Emily Williams' made some employees of the unidentified government agency believe they were talking with an old friend
Convincing: This exchange shows how ‘Emily Williams’  made some employees of the unidentified government agency believe they were  talking with an old friend

Launching the profile of Emily Williams,  Lakhani discovered that within the first 15 hours, Williams had made 60 Facebook  connections and 55 LinkedIn connections with employees from the targeted agency  and its sub-contractors.

Incredibly she had three jobs offers from  three companies within 24 hours of her online presence being  launched.

The experiment was created to exploit a  fundamental problem with online security – mainly that people are trusting and  also attractive women experience preferential treatment in the male-dominated IT  industry.

This was born out through the fact that a  similar test using a fake male persona made zero connections.

Infiltrator: Aamir Lakhani, who works for Texas based firm World Wide Technology demonstrated how easily men in the technology world are duped by a pretty woman
Infiltrator: Aamir Lakhani, who works for Texas based  firm World Wide Technology demonstrated how easily men in the technology world  are duped by a pretty woman

More worrying for governmental online  security is the fact that Lakhani revealed that the team had achieved their  objective of infiltrating the agency within one week, but carried on for a  further 90 days.

Lakhani and Muniz carefully curated the fake  identity of Williams netting hundreds of connections.

When one slightly suspicious man asked  ‘Emily’ how they knew him, the researchers replied with information they got  from his own profile – prompting the man to reply that he did remember  her.

Once she had made connections in the agency’s  Human Resources, IT Support and with executives, Lakhani and Muniz simply  updated her profile to just-hired.

And then for the hacker’s biggest deception  that seriously compromised security.

Sending seasonal cards to specific Facebook  friends of ‘Emily’s’, the hackers waited for the recipients to click, accessing  their computers most classified details through progreams such as Browser  Exploitation Framework (BeFF).

Their deception went further: ‘Once we hooked  the target, we would look for passwords and insider information to gain access  to the target agency,’ said Lakhani.

‘We launched three campaigns targeting  systems during Thanksgiving, Christmas and New Years.

‘We were able to figure out domain  credentials to create an inside email address for Emily Williams, VPN passwords  to gain internal access and other methods to compromise our  target.’

Lakhani and Muniz may have angered some  government employees, but the pair enjoyed such success they now have requests  from other companies and organizations to try the same test.

In the RSA talk last week Lakhani said, ‘So  we also did the same type of penetration test for very large financial  institutions like banks and credit card companies, healthcare organizations and  other firms, and the results were almost exactly the same.

‘Every time we include social engineering in  our penetration tests we have a hundred percent success  rate.’

Read more: http://www.dailymail.co.uk/news/article-2486975/How-fake-Femme-fatale-created-hackers-carried-cyber-attack-high-level-U-S-government-agency.html#ixzz2jhIH145F Follow us: @MailOnline on Twitter | DailyMail on Facebook

%d bloggers like this: