Defenses of a U.S. government agency were duped by an experimental scam created by security experts.
The “scam” involved Emily Williams, a fictitious attractive woman with a credible online identity (including a real photo that was allowed by a real woman), posing as a new hire at the targeted agency.
Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 for Facebook, with the targeted agency’s employees and contractors. Job offers came, along with offers from men at the agency to assist her with her new job.
Around Christmastime the security experts placed a link on Emily’s social media profiles linking to a Christmas card site they created.
Visitations to this site led to a chain of events culminating in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.
The experimenters got what they sought within one week. The penetration scam was then done on credit card companies, banks and healthcare organizations with very similar results.
An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.
Recap: The scam began from the ground up, inflating Emily’s social network till it enabled the attack team to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.
Preventing getting suckered into Social Media Scams
- For agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not the typical annually.
- Suspicious behavior should always be questioned.
- Suspicious behavior should be reported to the human relations department instead of shared on social networks.
- Work devices should not be used for personal activities.
- Access to various types of data should be protected with separate and strong passwords.
- The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
- Learn from this. Reverse engineer this same scenario in your own life or organization to see how this might happen to you.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Epsilon Breach Will Impact Consumers for Years
This week consumers are receiving messages from trusted companies such as 1-800-Flowers, Chase, Hilton HHonors and others, letting them know that their e-mail addresses have been exposed due to the recent Epsilon data breach. This provides a perfect opportunity for cybercriminals, who may try to take advantage of the breach to send out phishing e-mails
- Social Media Security Tips for Small Business
Corporations know there are long-term marketing benefits of social media and they also know the security issues with employees continue to be a problem. Many companies restrict internal access. Others prevent employees from discussing or mentioning the company in social media during private time. Follow these social media security tips for small business to prevent security issues: #1 Implement
- 7 Ways to Tell If It’s a Fake
Unfortunately in today’s world, scammers are coming at us from all angles to try and trick us to get us to part with our hard earned money. We all need to be vigilant in protecting ourselves online. If you aren’t paying attention—even if you know what to look for—they can get you. There are numerous ways
- 5 Tips To Secure Online Shopping This President’s Day
Making a purchase online around Presidents day? Keep in mind criminals are working hard to intercept your credit card numbers in various way. #1 SCAM: Black-Hat SEO: Criminals create fake websites and then use the same techniques as legitimate online businesses regarding search engine optimization, marketing, and online advertising via Google AdWords. They use keywords to
- Social Media Messages Telling Too Much?
Robert Siciliano Identity Theft Expert By now you’ve heard about a Web site called PleaseRobMe.com. This site is re-posting people’s messages, and uses a location-sharing technology to post where you are when you’re not at home. The sites motivation is to teach people they are putting themselves at risk. I’m not a fan. There are better