Why is this interesting? - The Hacking Edition
On social engineering, fraud, and clever manipulation
Noah here. If you’ve worked as a company executive or part of the finance team in the last ten years you’ve almost certainly experienced spear phishing. As the name suggests, spear-phishing takes the regular scam approach of sending someone a disguised email asking them to take an action and makes it much more powerful by targeting an individual with specific details (as opposed to the blanket Walmart gift card offers you’d surely find in your spam folder). Often the email will look as though it has come from the CEO and go to someone who is more junior in the finance department asking them to please deal with a wire or other payment. The most successful ones know exactly who they’re targeting, where the email is meant to be coming from, and what buttons they can hit in that relationship to get the target to perform the action they want.
And it works. The FBI calls spear-phishing “Business E-mail Compromise” (BEC) and estimates more than $12 billion was lost to the scam from 2013 to 2018. It’s not just money, either. This summer’s Twitter hack (if anyone can remember back that far) was attributed to spear phishing:
The social media company said on Thursday that hackers had targeted “a small number of employees through a phone spear phishing attack” — meaning that the staff in question were carefully, rather than randomly, selected and then tricked into handing over access to the internal tools.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter said in a statement. A spokesperson would not comment on whether it had found evidence that Twitter insiders also helped the attackers.
Why is this interesting?
I was thinking about spear phishing again this morning as I read the wild CNN story about how poisoned Russian leader Alexey Navalny got one of the spies involved in his attack to tell the whole story to him on the phone.
Navalny, who is still recovering at a secret location in Germany, posed as a senior official from Russia's National Security Council tasked with carrying out an analysis of the poisoning operation. His phone number was disguised as that of the headquarters of the FSB, according to Navalny's team and a recording of the call later provided to CNN and Bellingcat.
After Kudryavtsev confirmed his identity, Navalny said he'd been tasked with getting "a brief understanding from the team members: what went wrong, why was there a complete failure in Tomsk with Navalny?"
Kudryavtsev's responses in the 45-minute call provide the first direct evidence of the unit's involvement in poisoning Navalny.
At times he is clearly apprehensive about talking on an unsecured line but Navalny, speaking at times in a brusque and urgent way, persuades him that senior officials are demanding a report immediately and says that "all of this will be discussed at the Security Council on the highest level."
All of this gets to a fundamental truth of all security: humans are almost always the weak link. Part of this is human nature, of course, but part of it is about the expectations set by the organizations we work for and interact with and how they shape our behavior. As I outlined in last year’s security edition, one of the security anti-patterns that drives me totally crazy is banks calling you up and then asking for your account details. What better way to encourage people to more openly share valuable information with scammers than by legitimately asking them to share that data over the phone? In the case of Navalny, he was clearly able to make this happen because he spoofed the phone number but also because he knew details of what happened and understood the kind of pressure that the Russian government would assert. Because of this, he was able to hit enough of a nerve with the agent to get him to do something he was almost certainly trained not to do.
In the hacking trade, all of this goes by “social engineering,” the practice of manipulating people into doing things you want them to do. While movies and TV shows love to depict scenes of hackers behind screens writing lines of code and crashing servers, the reality is that much of the day-to-day damage from hacking isn’t from backdoors or zero-day exploits, but rather finding the right person to open the front door. (NRB)
Spice of the Day:
I love spicy food, but finding the right balance of flavor and heat is always a challenge. I have a few favorites and am always on the hunt for interesting new additions for the shelf. Recently my wife was sent two bottles of Holy Tshili from a friend (the spicy everything chili oil and spicy everything furikake seasoning), and I loved it. It’s a combination of, wait for it, Asian flavors, and everything bagel toppings. “Holy Tshili was inspired by our three favorite condiments: Toasty, crispy everything bagel seeds, spicy, luxurious Chinese chili crisp, and the savory, delicious umami kick of Japanese furikake. We put all 3 on everything and that's how Holy Tshili was born.” Go with the chili oil, it’s an amazing addition to all sorts of food. (NRB)
Speaking of hacking, The Register had a pretty good summary with technical detail on the Solarwinds hack. (NRB)
Thanks for reading,
Noah (NRB) & Colin (CJN)
Why is this interesting? is a daily email from Noah Brier & Colin Nagy (and friends!) about interesting things. If you’ve enjoyed this edition, please consider forwarding it to a friend. If you’re reading it for the first time, consider subscribing (it’s free!).