This time Aamir Lakhani (World Wide Technology) and Joseph Muniz (Cisco Systems) created Emily Williams. The purpose was to use social engineering to test network defenses by creating a fictitious character and seeing how far she could get within an organization.
The basic story was told by Muniz back in February 2013: How we created Emily Williams to compromise our target. "Our goal was to pick a specific target and see how far we could penetrate the target using social networks as the entry point for infiltration. The plan was to build up a social network with key personal [sic] and launch attacks from Facebook and LinkedIn that compromised systems using social networks," wrote Muniz.
But at RSA Europe in Amsterdam last week, Muniz and Lakhani gave further details. The target had been a US government agency involved in both offensive and defensive cybersecurity; and one that in previous World Wide Technology pentests had only been breached with zero-day exploits. "We had executive approval before conducting the experiment," commented Muniz.
The researchers used photos of a local restaurant employee, who had agreed to the subterfuge, for the likeness of Emily Williams. They set up fake profiles on LinkedIn and Facebook. "She graduated from MIT and had 10 years of experience," and was a 'new hire' within the agency. Within 15 hours of 'birth', Emily Williams had gained 60 Facebook and 55 LinkedIn connections. Within 24 hours she had received three job inquiries from other companies.
Over time, the trust level in Emily Williams grew. (It did not take long; the whole experiment lasted just three months.) She received LinkedIn endorsements even though she didn't exist. When she asked a senior HR member to connect on LinkedIn, he replied, "Do you need any help in getting the Service Desk to accelerate the laptop and email issues." And, yes, the researchers (via Emily Williams) got hold of an agency laptop.
But they went further. They poisoned an Emily Williams Christmas card. "Visitors were prompted to execute a signed Java applet that in turn launched an attack that enabled the team to use privilege escalation exploits and thereby gain administrative rights," explains Naked Security. It apparently succeeded sufficiently for the researchers to gain access to sensitive documents that included information on state-sponsored attacks and foreign leaders.
The attackers then tried a similar but targeted attack against the agency head of security. Although he had no Facebook connections, other members of the agency were discussing his birthday. They sent him a malicious birthday card link supposedly from one of the two people discussing him on Facebook. "The attack worked," reports Lucian Constantin, "and after he opened the malicious birthday card link, his computer was compromised."
"This guy had access to everything. He had the crown jewels in the system," Lakhani said.
"What does Emily teach us?", ask Muniz and Lakhani. Frankly, it is nothing new: identities are valuable; people trust people, but men particularly trust attractive women; social engineering works; and there is no technological defense. But what Emily Williams really teaches us is that despite our knowledge of the threats of social engineering, it still works, and it works at the highest levels.