Hacktivists Social Engineer Access to Government Officials’ Accounts
In what appears to be an act of hacktivism in support of the Palestinian cause, a group of hackers continues to target U.S. federal officials. The latest victim is the U.S. Director of National Intelligence, James Clapper, as reported by Motherboard.
One of the hackers claimed to have social engineered their way into Clapper’s Verizon FiOS account (fiber-optic network), his personal email and his wife’s email accounts. The hacker changed call settings to redirect all of his incoming calls to the Free Palestine Movement.
It’s likely the hackers gained access to these accounts by either stealing passwords or resetting them by calling support lines and impersonating Clapper. Pretending to be someone else is a lot easier when you can back up your stolen identity with legit personal information - the kind that can be easily found in online public records by anyone. Apparently Clapper’s address and phone number can be found easily with a Google search.
Social engineering is how hackers obtain private personal information by conning people that have access to that information. This type of attack relies on the vulnerability of humans, as well as relies on trust systems that aren't particularly robust, meaning ones that verify your identity based on static and easily found information.
Social Engineering Access to PayPal Accounts
This is an all-too-common occurrence for all types of online accounts, including banking accounts. Security blogger Brian Krebs wrote about how his PayPal account got hacked over the holidays in 2016 Reality: Lazy Authentication Still the Norm.
In this case, the attacker actually never compromised his password, but instead called PayPal’s customer support and managed to successfully reset his password with the last four digits of both his Social Security number and of an old credit card account.
His account was locked after the attacker attempted to send money to a member of a hacktivist group associated with spreading ISIS propaganda online, making it more difficult for Krebs to recover access to his account.
The Stolen Data Chain of Social Engineering
A more complex social engineering attack may involve many steps, and more than one phone call. Think of it as a video game - a hacker’s roadmap to account access is hindered by a series of doors, and sourcing personal data is the only way to unlock those doors.
Last October, the same hacker group that targeted James Clapper initially gained unauthorized access to CIA director John Brennan’s personal AOL email account through a chain of social engineering events, according to The Guardian.
They started with just his mobile phone number (again, easily found online), then did a reverse lookup to find out that he was a Verizon customer. Posing as a Verizon technician, the hackers called the company and convinced an employee to reveal Brennan’s personal information - including his account number, PIN number, email address and last four digits of his bank card.
Armed with that information, the hackers then turned to AOL - calling support and pretending they were locked out of Brennan’s email account. They passed the security question test by using the information given out by Verizon.
Finally, they stole sensitive information found in his emails, including an application he filled out to receive confidential government security clearance, according to Wired.com.
What Can You Do?
Do your part to secure against the effects of social engineering, and enable two-factor authentication on all of your online accounts. By requiring access to your personal device, it can make it harder for attackers to access your account remotely. Plus, it's a method that relies on your immediate action for verification (entering a unique code generated by an app or approving a push notification), instead of verifying your identity via static information like the last four digits of your SSN.
Krebs lamented the fact that most companies do not offer “more advanced authentication options - such as mobile device authentication.” But many others do support the technology, which you can enable by downloading a free mobile authenticator app like Duo, and adding the ability to verify your identity with time-based one-time passcodes (TOTP).