Social Engineering: How a 15-yo Brit Used it Against the US Gov’t and Why It Matters To Your Business
In June 2015, a British boy named Kane Gamble—who was 15 years old then—targeted CIA heads and FBI directors and gained access to classified documents.
THE KANE GAMBLE CASE
Fueled by his political views, Gamble posed as CIA chief John Brennan and as deputy director of FBI Mark Giuliano, which enabled him to obtain a 47-page application for top-secret security clearance and extremely sensitive documents about intelligence operations and military operations in Iraq and Afghanistan.
Gambler, using an anonymous Twitter account, told this to a journalist:
“It all started with me getting more and more annoyed at how corrupt and cold-blooded the US government are. So I decided to do something about it.”
The following are some other things Gamble did:
1. Accessed the FBI’s Law Enforcement Exchange Portal and accessed communications account of some very high-ranking US intelligence officials and government employees;
2. Targeted Mr. Jeh Johnson (secretary of the US Department of Homeland Security) and sent him a photo of his daughter with a sickening message and posted an “I own you” message in their home’s TV;
3. Bombarded Mr. Giuliano’s family with calls which resulted in them seeking protection from the intelligence agency and have an armed-guard on-duty in their family residence.
Gamble taunted his victims online, released personal information, bombarded them with calls and messages, downloaded pornography onto their computers and took control of their iPads and TV screens, a court heard. (source)
Gamble had pled guilty to a total of 10 criminal charges on computer misuse. Gamble has autistic spectrum disorder with a mental development of 12 or 13-year-old at the time he committed the crime. Gamble is now 18 years old.
From a four-cornered bedroom of a Leicestershire home, Kane Gamble performed all his attacks using SOCIAL ENGINEERING.
WHAT IS SOCIAL ENGINEERING
Social engineering: some call it mind-hacking, and some would prefer calling it as the science and art of human hacking.
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It is a type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. (Source)
Familiar with the group called Crackas With Attitude (CWA) who famously broke into Mr. John Brennan’s AOL account? Actually, the group was founded by Kane Gamble himself.
CWA used social engineering attacks on Verizon (Brennan’s internet service provider) where they called the company and posed as its live chat department and asked its “co-employees” for social security number of the customer (Mr. Brennan) claiming issues with the lookup tools. The company’s support willingly gave Mr. Brennan’s social security number which they used against AOL requesting for a change password on his account.
Now, let’s figure out the ways they pursued their agenda.
METHODS KANE GAMBLE AND CWA USED FOR ATTACKS
A good pretext is a formula for a successful social engineering attack.
Pretexting is a type of social engineering where the cybercriminal creates a critical scenario that needs an urgent response from the victim’s end. It is relative to hoaxes. It is a detailed lie that requires extensive research for the victim to fall easily.
CWA used this strategy on Mr. Brennan’s case where they pretended as Verizon’s live chat department and called Verizon’s technical support creating a story that their department had issues accessing its lookup tools, thus, needs help from the team to provide Mr. Brennan his security number.
Outside the CWA case, an incident using this attack had also been recorded.
In 2008, a registered nurse from Oregon sent out $400,000 to inherit millions of dollars from a deceased Nigerian relative. The nurse fell for a “419 Scam” that asks her an amount of money in exchange for the $20 million inheritance from her long-lost grandfather in Nigeria.
Phishing is a type of social engineering where the victim receives an email disguised as a message from a trusted web source. Its intention is to trick the recipient to disclose personal sensitive information (password, username, credit card details, bank information) or clicking on an attached malware.
A very common example of phishing is an email or SMS sent by a “trusted bank” asking the victim to fill out and verify his/her personal information.
Vishing or phone phishing is similar to phishing but is known more as human-to-human interaction through a phone call. The cybercriminal sends a phishing attack to its victim asking to call the company’s “toll-free” number for security reasons. The victim then calls the “company’s number” and relates his/her personal information and other “necessary” details to verify identity.
- Spear Phishing
Take the definition of phishing and use it directly to a specific individual or group—that’s spear phishing.
Spear phishing is a more advanced way of phishing where the cybercriminal researches and studies all available information about its target (from social media, online browsing habits, personal interests), then highly customizes its attacks in ways that are fit to the target.
Even though Kane Gamble and Crackas With Attitude (CWA) claimed to be responsible for many cyber attacks using social engineering strategies, they do not consider it as hacking.
OTHER TYPES OF SOCIAL ENGINEERING ATTACKS
If you’ve seen the film “Troy”, you’d see the epic success of Greeks against the invincible and independent city of Troy during the Trojan War. How did the Greeks finally defeated Troy? Well, they used an effective way of subterfuge using a “Trojan Horse” (a huge wooden horse) as an offering to the gods of Troy as a sign of defeat. The Trojans took it as a victory trophy, not knowing what it contained inside: a select group of Greek warriors.
The Trojan Horse is a perfect example of baiting.
In information security’s case, it’s leaving a malware-infected device in a place near the victim or somewhere it can easily be found. This technique arouses the victim’s curiosity or greed, leading him to inject the infected device to his computer then unknowingly installing the malware.
- Water Holing
This targeted and sophisticated type of social engineering takes advantage of the user’s trust on its regularly visited websites.
With a specific target/s in mind, cybercriminals then study and test the trusted website for vulnerabilities where a code and malware could be injected. Since the target trusts this website, clicking any links on its webpage won’t be a problem.
- Something for Something
The term “Quid pro quo” or something for something is another type of social engineering. The attacker would pose as a technical support of a company and “calling-back” random numbers providing answers for a reported “technical problem”. This is a miss and hit strategy. When an attacker “fortunately” hits a person with a real technical problem, the attacker then uses this opportunity to direct the user to input some commands that would then discharge the malware.
HOW DOES SOCIAL ENGINEERING AFFECT YOUR BUSINESS
It is expected that a high-profile government official must have extreme security measures and in-depth understanding of social security but the Gamble case shows otherwise.
Gamble did expose the vulnerabilities of the US government’s security procedures and the companies which are involved such as Verizon and Comcast. If a 15-year-old boy can easily attack organizations with extreme security measures, what more can highly-skilled professional hackers do to individuals and companies?
Today, you wouldn’t be surprised by the fact that cybersecurity engineers are highly needed in the digital field. According to Statista.com on consumers lost through cybercrime, the United States had shed $19.4B already while China tops the highest expenditure amounting to $66.3B.
Michael Alexander on Methods for Understanding and Reducing Social Engineering Attacks:
“Attacks on an organization’s sensitive information using social engineering are more targeted and more sophisticated than ever before.”
Most cybercriminals wouldn’t spend their resources on creating complex technologies in attacking their targets. They only need to build rapport and trust with their targets and can easily get what they want.
WHAT CAN YOU DO?
We’ve asked our Quora netizens on how they can protect themselves from social engineering attacks. Below are some of their insights:
“Educate yourself as much as possible, and be very protective of your privacy and rights. Also, don’t trust easily — always question what you’re being told, and investigate things for yourself and think for yourself. Also, trust your intuition — if something feels off or not right to you, it’s likely because there is something wrong about it.”
Collins Chua, former Cisco Technician:
“The truth is, no one can be safe from social engineering attacks. I don’t agree with people who think that they can escape or be safe from social engineering attacks by learning it. It helps make you aware but not safe. A social engineer can shape his attack in ways we don’t expect and still make it work. Social engineering is just too powerful, manipulative and dangerous.”
“…People can make themselves safe in the sense of exerting great effort to reclaim their minds from their culture of birth, and discover they are originals, which is to say to stop allowing their culture of birth to do their thinking for them. This is too much to expect from children, and we are lucky to accomplish it even as determined, disciplined adults.
Since the human family has been collectively targeted by evil ultra rich culture-manipulating social engineers for exploitive purposes, we will eventually put an end to such social engineering only when we collectively awaken to the problem. Collective problems must be solved at the collective level.”
WHAT CAN YOUR BUSINESS DO
Educate your employees
Education is a cure for ignorance. It is the number one defense against cyber attacks. Cyber attacks are mostly successful because of human errors. Therefore, it is a must that employees be educated on the social hacking attacks and trained with comprehensive security measures to counter them. When they sense one, they would already know how to respond.
“Social engineering tricks are always evolving and awareness training has to be kept fresh and up to date…But it isn’t just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets.”
Use highly-secure software
Acquire a secure platform for your business needs. Cyber attacks are commonly exploited through emails.
You are one step ahead from cybercriminals if your company would use a platform like a Dead Drop, a secure online collaboration tool that’s built with high-level security protecting its users from prying eyes and devious hackers.
Secure your devices
Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.
Be wise in your social media posts
Social media has helped many businesses in their marketing efforts. However, social engineers and hackers also use social media to gather personal information of their targets.
Think wisely before you allow anything to be shared on your social media accounts. It can also help if there are set guidelines that your social media manager can follow before posting anything online.
“…it’s important to keep in mind that whatever information you post publicly online (Facebook, Twitter, Foursquare, etc.) might give criminals a clue on how to connect the dots on where you are and your real identity.”
“Individuals are liberally giving up their privacy, you know, sometimes wittingly and sometimes unwittingly as they give information to companies or to sales reps or they go out on Facebook or the various social media. They don’t realize though that they are then making themselves vulnerable to exploitation.”
The most important aspect of social engineering is TRUST. Hackers know full well how easy it is to hack a human mind than a machine, that’s why they hold dearly on building trust to manipulate the victim into performing tasks that would soon benefit them.
Therefore, it is not bad to be cautious about anything.
Do not trust easily, but be especially skeptical against any promising lines you receive.