RSA data breach the result of successful spear phishing
A great story almost slipped by me... With all this "Epsilon" business happening, the disclosed cause of the RSA breach almost went unnoticed. Remember the data breach of the security company, RSA? They're the company who provide computer security apparatus used by Government agencies, hospitals, and lots of corporations with extremely sensitive data. I wrote about it a couple weeks ago and gave you five possible theories.
Guess how the RSA breach happened? Think hard about our aquatic friends...
Yes, spear phishing.
A lonely email makes its way to the inbox of an unsuspecting employee who opens the "excel spreadsheet" and BAM - game on ladies and gentlemen.
On April 1, Uri Rivner, a key RSA boss, posted "Anatomy of an Attack." You have to give RSA credit for telling the world what happened. Mr. Rivner tells us that there were two "phishing emails" sent to a small group of RSA employees. Apparently the email ended up in their "junk" box, but one employee retrieved it and in the end opened the attachment that released the "malcode" (as our AG calls it) and the rest is history. RSA doesn't hide much, they lay out quite a bit of detail. I won't bore you here, but it is fascinating, and their disclosure does a service for the rest of us.
Today, I want to tell you about "social engineering". My definition is "getting someone to do something that they either don't want to do or don't know why they're doing it". Wikipedia defines it in the context of "security" fairly well.
How did the "villains" know who to send the "phishing" email to? According to Mr. Rivner's blog, the employees were defined as follows:
...you wouldn't consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
So, the employees were not "high value targets", but they were employees of RSA. A couple of basic facts to consider:
- The bad guys had to know the employees email addresses
- The bad guys had to know at least something about the employees - meaning they knew that the targeted employees were not janitors
- The bad guys had to get the employee to open the infected file
Where is information like this available?... Facebook, LinkedIn, social media sites, that's where. Some people have basic information on their social media sites and some update it so often you know what they had for breakfast. You can tell a lot about a person from reading their social media website. You may even be able to tell what they might do in a given situation... that, my friends, is "social engineering."
Why would only one of the "targeted" employees retrieve an email from the junk mail box and open an attachment. You work at RSA, you work for a security company and you open an attachment on an email that your spam filter caught? Something just doesn't make sense here.
Was it something about the name of the attachment that caught that employee's eye? "2011 Recruitment Plan" was the subject line of the email. Why did the bad guys chose to name it that? Maybe because they had been watching the various employees' social media sites and knew that RSA had an ongoing recruitment plan. That's just a guess, a pure guess, but if you're the bad guy and you want to successfully "spear phish" you need some good intel. What's going to make the employee open this attachment? That, as the bad guy, is your operational goal.
We, as digital citizens, put a lot of information about ourselves in the public domain. (oh, I'm sorry did you think that the privacy settings on Facebook keep the bad guys out? How many "friends" do you have and how many of those "friends" have "friends"... and can your friends' friends see your page?)
As a quick aside, I used to use Facebook regularly as an investigative tool. We would "friend" our suspects' friends and then just sit back and read. It was oh so simple to get access to a guy's site - use a pretty girl. She's not real, she's the police, silly. Plus most of the time the privacy settings were non existent and their info was public.
Social engineering is made easier the more public we are about ourselves. Spear phishing works. And the combination of social engineering and spear phishing has worked in the most dramatic way in this case resulting in the breach of one of the world's leading security firms.
But what about my five "theories"?
- Conspiracy - technically still viable, but I sincerely doubt it now.
- Foreign Government Action - gaining ground based on the complexity of the incident
- Corporate Espionage - still possible, but unlikely. The same type of attack has been launched against many other corporations leading me to believe that it's from outside the corporate world.
- Criminal Organization - I stand by my assertion that this is too complicated for them to pull off. Prove me wrong Eastern Europe, I dare you.
- It never happened - It did. This one is out.
One final note: If I was a bad guy and had the EPSILON email data, here's how I would use it:
I would send an email purporting to be from the affected company apologizing for the inconvenience and in the same email offer to have them removed from our email list by clicking "this" link. Would you click that link?