Real Hackers Wield Social EngineeringSimplicity Means Success - But Not for 'CSI: Cyber'
In the pilot episode of the TV series "CSI: Cyber," cybercriminals hacked a baby cam to execute a "cyber kidnap" plot, and an amusement park's mainframe was hacked to deliver "murder by rollercoaster."
Of course in the real world, when people go head-to-head with hackers, chances are they won't be facing down weaponized arcade rides. In fact, it may all begin with an innocent-sounding email or even a phone call. At least, that's what led to this week's true "ripped from the headlines" plot, in which Rogers, one of Canada's biggest ISPs, was breached by hackers.
Unlike the protagonists on "CSI: Cyber," these hackers kept things simple. They phoned the Rogers tech-support helpline, sweet-talked the tech-support team into thinking they were a particular mid-level employee, got his Outlook email password reset, and then gained access to his emails, as well as a lot of corporate data. Or at least, that's how the attackers described their tactics to the privacy blogger known as Dissent.
Unfortunately, a phone call to the IT help desk doesn't make for great nighttime television. And just imagine trying to explain to the majority of CBS viewers the nuances of the resulting document dump involving a 456 MB "tarball' (Linux archive file) filled with alleged Rogers data - or how hackers might have cashed in the 70 bitcoins (currently worth about $19,000) they were demanding. (Rogers has not responded to multiple requests for comment.)
But the Rogers hackers are merely the latest in a long line of attackers - such as Kevin Mitnick in the 1990s - who phoned someone up and asked them nicely, if fraudulently, for something they wanted.
This tactic also is wielded by the fake Microsoft tech-support gangs, who phone people at home and tell them their device has a virus. And on the business front, such trickery has been used to execute everything from the 2012 "life hack" of journalist Mat Honan, to the spear-phishing attack against security giant RSA, to the recent Rogers breach.
Interested in learning more about why TeamHans targeted Rogers, and if it was personal, I contacted them via an email address posted on their @TeamHans account page (answers are verbatim):
Q: Was Team Hans responsible for the reported threat and attempted bitcoin extortion against a Rogers employee?
A: Yes he was a victim of a failed extortion attempt, although I would like to mention that the amount demanded was a very low amount in regards to the classification of the documentation which had been retrieved from their systems.
Q: Via Twitter, you imply that you're sitting on a lot more Rogers data. If the data touches on "just about every employee and corporate customer," as claimed, what all has been obtained?
A: You question what data has actually been obtained/retrieved from this low-level hack? Majority of the data can be found in the tarball that was released via our social medium but I'm not saying that's all of it (maybe we still have access to their systems today, who the [expletive deleted] knows?).
Q: What "next steps" would you like to see from Rogers?
A: As far as what next steps we would like to "see": I'm pretty sure we can all agree that nothing can be done to make sure this doesn't happen again. They are stupid and as a company, also stupid.
Q: Are you perhaps based in Canada and former/current Rogers customers?
A: No. I can confirm that none of the members of TH involved in this particular ship wreck is from CA. I would also like to mention that absolutely no notification has been made to any of their clients which they deal with (view contracts [included in the leaked documents], a popular request from the clients that they work with was to keep all confidential for multiple reasons, such as x not wanting their competitor(s) to be aware of x).
Takeaways For Businesses
Takeaways from the Rogers hack by TeamHans should be obvious:
- Education: Train help-desk staff to better spot and repel social engineering attacks.
- Security: The TeamsHans hackers say they were able to reset the employee's password using only his ZIP code and birthday. Such information is trivial for attackers to obtain, making it virtually worthless as a security defense.
- Controls: Restrict access to corporate assets, including online Outlook, using two-factor authentication, so even if the above two defenses fail, any such attack launched by TeamHans or its future equivalent won't succeed.
To the Rogers employee's credit, he reported the incident to his employer, and officials there reported it to law enforcement. The hackers say the company never gave them the bitcoins they demanded, hence they released the stolen data, as they'd threatened.
But the incident should be causing every business - not just ISPs, and not just organizations located in Canada - to ask whether they could successfully repel this type of attack, should their firm be targeted. Because while such storylines lack the panache of a "CSI" plot, they're all too real.
Weaponized roller coasters? Kidnappers hacking babycams? Forget over-the-top "CSI: Cyber" hacking schemes. The hackers behind the Rogers ISP breach, in their quest for bitcoins, wielded nothing more serious than a telephone call.