Is social engineering really a threat? In this video, you’ll learn how a talented social engineer was able to steal a valuable Twitter handle.
<< Previous Video: WhalingNext: Rogue Access Points and Evil Twins >>
Social engineering is sometimes thought of as an attack type that’s not very critical, but what we’re finding is that the bad guys have gotten very good at obtaining information from us and they’re now going after some very high target types of information, data, and assets. The bad guys have figured out that if they want some information about you, they may just need to go to multiple organizations to gather that.
They can go to the places you shop. They can call in to the places where you have accounts. And they can start gathering details or finding access in to get information about you or about your financial situation.
Sometimes they are using this social form of communication to be able to manipulate people on the other end of an email. They might be calling in and being very aggressive on the phone or they might be sending a message about a funeral notice for someone you know. And, of course, you want to click on that. You want to read the attachment, which is exactly the social engineering attack that the back guys are going after.
One of the more recent and interesting social engineering attacks is one that took place against Naoki Hiroshima. This is how I lost my $50,000 Twitter username. You can Google that phrase or go to this URL to read all about it.
This is an example of how the bad guy was able to use multiple organizations against this particular person. And it was really masterful social engineering that these people were able to pull off. The first thing the bad guy did was call Paypal and he used social engineering against Paypal to obtain the last four digits of the credit card on file.
Now obviously, the last four digits of a credit card are not going to be used for charging anything. You can’t really do anything financial with the last four digits. Or can you?
At that point, the bad guy called GoDaddy. Obviously, the bad guy had done a lot of research on Mr. Hiroshima and knew that all of his domains are being hosted at GoDaddy. So he told GoDaddy he lost his card, but he could tell them what the last four digits of his card were.
And GoDaddy said, well we need the first couple of digits as well. And unfortunately, instead of simply identifying right then the first two digits of the credit card, GoDaddy allowed the person calling in to guess and to keep trying until they got the right two digits. This is social engineering done extremely well. And unfortunately, this allowed the bad guy to gain access to all of the domains that were hosted at GoDaddy.
So now Mr. Hiroshima has no access to the domain names that are registered at GoDaddy. The bad guy now has complete control over all of those things. And has changed all those security parameters so that Mr. Hiroshima cannot go in and gain access to those.
He then contacted Mr. Hiroshima and says, I’ll tell you what. I will give you access back to all of these domain names. You just have to give me your Twitter name, which in this case was an @N, that single letter N. So that was relatively valuable for the bad guy to have. And in this case, there was an agreement and the exchange and the swap was made.
Mr. Hiroshima then went to Twitter and asked them for help because obviously there was extortion involved and fraud involved at obtaining this @N Twitter username. And ultimately, it took about a month. But finally, Twitter said, yes, you are the rightful owner of this username and we’re going to restore access back to you.
So ultimately, he was able to get both of his domain names back. He was able to gain access to his Twitter handle, and finally had everything back the way it was. It’s an amazing story of social engineering.
If you’d like to read about it, you can Google the phrase how I lost my $50,000 Twitter username. Or go to that URL, and you’ll see just what the bad guys will go through to get the information that they really want.
Category: CompTIA Security+ SY0-401