CONTINUE TO SITE »
or wait 15 seconds

Blog

IT guys get suckered in social media exploit

February 6, 2014 by Robert Siciliano — speaker, IDTheftSecurity.com

The defenses of a U.S. government agency were defeated by an experimental scam created by security experts. What's especially scary is how easily it was accomplished.

The scam involved Emily Williams, a very attractive and entirely fictitious woman with a credible online identity (including a real photo provided by a real woman), posing as a new hire at the targeted agency.

Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 new Facebook friends — all employees of the targeted agency and its contractors. Job offers came, along with offers from men at the agency to assist her with her new job.

Around Christmastime the security experts placed a link on Emily’s social media sites linking to a Christmas card site they’d created.

Visits to this site led to a chain of events that culminated in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.

The experimenters got what they were looking for within one week. The penetration exploit was then carried out on credit card companies, banks and healthcare organizations with very similar results.

An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.

Recap: The scam began from the ground up, inflating Emily’s social network until the attack team was able to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.

How not to get suckered by social media scams:

  • for agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not just annually, which is typical;
  • suspicious behavior should always be questioned;
  • suspicious behavior should be reported to the human relations department instead of being shared on social networks;
  • work devices should not be used for personal activities;
  • access to various types of data should be protected with separate and strong passwords; and
  • the network should be segmented to guard against scammers infiltrating one network segment simply because an employee with access to another segment was compromised.

Learn from the Emily exploit. Reverse engineer the same scenario in your own organization to see how it might happen to you.

    Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. For Robert’s free e-book text — SECURE Your@emailaddress — to 411247.

    Read more about security.

    About Robert Siciliano

    None

    Connect with Robert:

    Related Media

    Security
    Examining biggest ATM security issues and 4 strategies to prevent them
    Security
    Banking privacy: 5 benefits for banks, customers
    Security
    Protecting an ATM's hardware, software by slowing down criminals
    On-Demand Webinar
    A Masterclass in ATM Security: Global Best Practices and Trends
    Presented by Diebold Nixdorf
    Recent Posts
    Eurasian Bank selects Diebold Nixdorf's self-service software
    First National Bank to open 30 branches
    Romanian man arrested for alleged cash trapping ATM scheme
    Replacing the ATM: Pros and cons of new vs. remanufactured
    U.S. Bank resumes crypto custody services


    ©2025 Networld Media Group, LLC. All rights reserved.
    b'S2-NEW'