As DDoS attacks and malware become increasingly complex, there is another type of attack that doesn’t rely on much technology, aside from maybe a phone or email, and is just as dangerous.
Called social engineering, this type of attack relies on manipulation and human error, tricking victims or their service providers into turning over sensitive information that could be used to access hosting or other online accounts.
“When a lot of people think security attack the first thing on their minds is decrypting data or software viruses, but the vast majority of attacks, and the biggest flaw that we have in software security, are people. We’re capable of making decisions, and we’re quite capable of making bad ones,” Kevin Jones, chief security officer for Thycotic Software, a Washington, D.C-based company that specializes in IT management software tools for system administrators said.
Founded in 1996 as a software development consultancy, Thycotic Software initially developed its flagship product, an enterprise password management software called Secret Server, out of an internal need. It was released commercially in 2005, and today around 100,000 admins from around the world use Secret Server.
Jones has been at Thycotic Software for over 7 years, and as chief security engineer he works with the company’s development team and customers to understand their security needs.
An example of a security incident involving social engineering happened recently, when an attacker was able to impersonate a PayPal employee, get the victim’s credit card information, and use it in a social engineering attack on GoDaddy and Twitter.
“As most attacks we’ve seen recently, it involved a lot of social engineering, which has become an increasingly persistent form of attacks,” Jones says.
The attacker was after the single-character Twitter handle @N belonging to software developer Naoki Hiroshima. In order to get to the Twitter account, the attacker got the last four digits of the victim’s credit card by impersonating a PayPal employee. He then called GoDaddy as Hiroshima, saying he lost his credit card but he remembered the last four numbers. GoDaddy support let him take over the account with just those last four digits, not a typical authentication means for the hosting company.
“Based on what GoDaddy has said in the past, they don’t really do that. That’s not one of their normal authentication means to confirm a user’s identity,” Jones says. “The other thing was the GoDaddy employee also requested the first two digits of the credit card, and most credit cards almost always start with the same four digits because they are used to identify who makes the card.”
According to a report by PCWorld, GoDaddy said the attacker was “already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy” and “the hacker then socially engineered an employee to provide the remaining information needed to access the customer account.”
“GoDaddy didn’t have a strictly enforced policy on how they’re going to identify who their customers are. Based on what GoDaddy said, that particular GoDaddy support engineer kind of stepped out of their bounds on what they were and were not allowed to do,” Jones says.
GoDaddy said it is “making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques,” according to a statement.
Once the attacker was in the account, he was able to take control of his PayPal, hosting account, and his email. The attacker eventually seized the victim’s Facebook and Twitter. Hiroshima got access back to his GoDaddy account, but only got his Twitter handle back a couple weeks ago.
“The GoDaddy incident is not unique. It’s certainly very prominent because of who the companies are the parties involved, and the owner of the Twitter handle that was compromised,” Jones says.
For hosting providers, the PayPal-GoDaddy incident sheds some light on the potential gaps in terms of account authentication and making sure support staff are trained to understand how to deal with social engineering attacks.
“As someone that would work with a web hosting company one of my immediate concerns would be what are you doing to identify your customers and ensure that my data is really my data and it really stays with me?” Jones says. “How are you training your support engineers, and how are you renewing and validating things that they are or are not supposed to do? If I were to do business with a web hosting company these would be some of my first questions.”
Jones says that customers should ask their web hosts about their training policies around protecting data and how they ensure they don’t get violated.
“Another thing a web host can do is this employee at some point was able to reset or send a reset code to the attacker. In order to do that the employee must have had some kind of access to a system. Internal auditing is going to be the really key thing there,” Jones says.
“As a web hosting company I would want to make sure I have in place is some sort of irrevocable means of identifying who you are. If i’m able to provide you a non-variable security pin then that at least can confirm that somehow I have some sort of information for this account, and then we can open a dialogue and resolve these kinds of situations. Really, the best kind of way to resolve these kinds of breaches is to have a conversation with a human.”