Three high-profile social engineering hacks

How social engineering helped hack the CIA chief, hijack Elon Musk and Joe Biden’s Twitter accounts, and steal half-a-billion dollars.

Social engineering: top-3 hacks of recent years

For decades, we were told tales of all-seeing, all-knowing hackers who use sophisticated social-engineering techniques — that is, manipulating folks into handing over secret information with neither threats of violence nor other maltreatment, or getting them to perform other reckless actions from an information security perspective.

The problem is, such tales can cloud one’s grasp on reality. Knowing so many stories about this technological voodoo, people should, you might think, be aware of such tricks. Sadly, this isn’t the case at all. Here are three high-profile cases of recent years showing that social engineering is still a potential threat, perhaps more so than ever.

Even a schoolboy can hack the director of the CIA

Let’s start with a story that could easily be taken for a Hollywood movie with the title, say, Hackers versus Spies; however, it would be less of an action thriller and more a satirical comedy.

In October 2015, a hacker group calling itself Crackas With Attitude used social engineering to gain access to the personal AOL account of CIA Director John Brennan. The hack was followed by a phone interview with the New York Post, in which one member of the group described himself as an American high-school student.

Although the CIA chief’s email was private, it revealed many interesting things related to his work: in particular, the social security numbers and other personal information of more than a dozen high-ranking US intelligence officers, as well as a 47-page application for top-secret security clearance filed by Brennan himself.

In November of that very same year, the story continued: this time hackers targeted the personal AOL accounts of another high-ranking official, FBI Deputy Director Mark Giuliano and his wife. On this occasion, the hackers’ haul, which they later made public, included the names, email addresses and phone numbers of 3500 US law enforcement agencies’ employees.

Just a couple months later, in January 2016, these same hackers got hold of a string of personal accounts belonging to Director of National Intelligence James Clapper. Finally, in February 2016, they publicly released the data of 9000 employees of the US Department of Homeland Security, plus 20,000 employees of the FBI, which the criminals claimed they’d obtained by hacking into the US Department of Justice.

That same month, one of the hackers was apprehended. He was indeed a high-school kid (though not American, but British), named Kane Gamble. As a result, the young hacker, aka Cracka, who was only fifteen when he committed his crimes, was named as the leader of the group and sentenced in the UK to two years in prison (of which he served eight months), with an internet ban for the same term (which he observed in full). A few  months later, two other members of Crackas With Attitude were detained in the U.S. This time they were adults: Andrew Otto Boggs, 23, got two years in a U.S. jail, and Justin Gray Liverman, 25, got five.

During the trial, it transpired that for more than six months — from June 2015 to February 2016 — the young Gamble successfully pretended to be the director of the CIA and on his behalf defrauded passwords from employees of both call centers and hotlines. Using them, the group managed to gain access to highly sensitive documents relating to intelligence operations in Afghanistan and Iran. Who knows, would the hackers have been caught at all had they not decided to make a public mockery of the CIA chief, the FBI deputy chief, and the director of U.S. National Intelligence?

Hacking the Twitter accounts of Biden, Musk, Obama, Gates and others

The following incident took place on July 15, 2020, when a bunch of Twitter accounts began to spread similar message: “All bitcoins sent to the address below will be sent back doubled! If you send $1000, I will send back $2000. Only doing this for 30 minutes.” It looked like a typical Bitcoin scam that wouldn’t warrant a mention were it not for one nuance: all these accounts really did belong to famous people and major companies.

At first, the scam messages started appearing in Twitter accounts directly related to cryptocurrencies: the giveaway was “announced” by Binance founder Changpeng Zhao, and several other cryptoexchanges, including Coinbase, and the crypto news site CoinDesk. But it didn’t stop there, as, one after another, more and more accounts belonging to famous entrepreneurs, celebrities, politicians and companies began to join the jamboree: Apple, Uber, Barack Obama, Elon Musk, Kim Kardashian, Bill Gates, Joe Biden (who wasn’t yet president), Jeff Bezos, Kanye West; and the list went on.

Tweet from the hacked account of Elon Musk

Tweet from the hacked account of Elon Musk Source

In the few hours that saw Twitter trying to get to the root of the problem, the hackers managed to collect more than US$100,000 — a tidy sum, but nothing compared to the reputational blow suffered by the company. It soon became clear that the hackers had penetrated Twitter’s internal account management system. Initially it was assumed they did this with insider help.

However, that turned out not to be the case. The hackers were quickly found and arrested, and again the group leader was a school kid — this time an American, the then 17-year-old Graham Ivan Clark. He was handed down three years in jail and another three on probation. More importantly, however, the investigation established that the attack was carried out with no insider help. Instead, hackers used a mix of social engineering and phishing to dupe Twitter employees into giving them system access.

First, they studied LinkedIn profiles to identify employees likely to have access to the account management system. Next, using LinkedIn’s Recruiter feature, they collected their contact information, including cell phone numbers. The hackers then called these employees, pretending to be colleagues, and using the data persuaded them to visit a phishing site imitating Twitter’s internal login page. This way, the attackers obtained passwords and two-factor authentication codes allowing them to log into the Twitter account management system and take possession of dozens of accounts with millions of followers.

Again, who knows if they’d have been caught had they not targeted half of the world’s Top-10 rich list, plus other famous personalities and, most significantly, the Twitter accounts of a former and future U.S. president.

Sky Mavis and the half-billion-dollar heist

This is a story that took place in 2022. The starring yet unwanted role went to Sky Mavis, creator of the NFT game Axie Infinity. Let’s not delve into the game specifics — suffice it to say that players earn cryptocurrency in it. At one point, some residents of Southeast Asia worked there as if it were a proper job. At its peak, the game had a daily audience of up to 2.7 million people and weekly revenue of up to US$ 215 million.

However, in March 2022, even before the crypto crash, Sky Mavis found itself in serious trouble. During an attack on the Ronin Network, which underpins all cryptocurrency activity in Axie Infinity, hackers made off with 173,600 ETH and 25.5 million USDC from the company’s accounts, worth around US$540 million at the time of the attack.

The details of the heist emerged a few months later, in July. Through a fake company, the attackers had contacted Sky Mavis employees on LinkedIn and invited them to job interviews. Eventually they got to a senior engineer who, after several rounds of interviews, was made an extremely tempting job offer. The fake offer was sent in an infected PDF through which the hackers managed to gain access to the company’s internal network.

After that, armed with access to the corporate network, the hackers were able to get hold of the private keys for confirming transactions and then withdraw cryptocurrency. They laundered the stolen funds through a complex scheme involving two cryptomixers and around 12,000 intermediate cryptowallets, followed by conversion to bitcoin and a subsequent cashout.

Analysts who helped the U.S. investigators linked the attack to the North Korean group Lazarus. Only about 10% of the face value of the stolen coins could be recovered. Or about 5% if you count in dollars: in the six months after the robbery to the close of the investigation, the crypto market collapsed, causing the Ethereum exchange rate to nosedive.

How to guard against social engineering

Sure, no one wants to be on the receiving end of such attack. But the fact is that total protection against social engineering is near-impossible — because it targets people. For effective defense against social-engineering techniques, your company should focus on employee training. Our Kaspersky Automated Security Awareness Platform is perfect for this purpose. Through a combination of exercises and simulations, the solution raises staff awareness of a wide range of attack methods and ways to defeat them.