An American "dating coach" has managed to obtain highly sensitive information through clever social engineering.
According to The Verge, during Defcon last week, Jordan Harbinger tricked several individuals with top secret security clearances into revealing details of classified projects they were working on.
He said his project took him less than 10 hours, spread over a few weeks. Harbinger also claimed he managed to achieve his goals without breaking any laws, as he was advised by a lawyer with the Electronic Frontier Foundation not to do anything unlawful, such as impersonating a government employee.
He began by creating a LinkedIn profile for a supposed defence industry recruiter. He then managed to join a LinkedIn group of 9 500 individuals with top security clearances.
His request to join was approved by the moderator of the group, even though top security clearance usually involves a rigorous screening process, including a background check, reference checks, and even a lie-detector test on occasion.
From that point, Harbinger was able to connect with 50 of the group's members. His membership of the group was enough, and his connection requests were accepted, allowing him to message his contacts about fake jobs.
News.com.au reported he also gleaned some information from a fake Facebook profile he set up with the assistance of his assistant, who posed as a woman asking the contractors for career advice.
Harbinger Facebook friend-requested the men in his LinkedIn contacts, and once friended, sent carefully designed messages, aimed at extracting sensitive information. The messages asked for advice on what "she" should mention in her interview, and resulted in the subjects revealing the location of testing facilities, and what was being worked on at a particular location.
Although he said he did not push for any classified information, he thought it was clear it would have been easy enough to obtain had he tried.
Vitaly Kamluk, malware expert at Kaspersky Lab, says businesses that ignore the human factor do so at their peril. He says social engineering is often the means by which a targeted attack finds its way into a company's network. Threat actors trick individuals in the company into revealing information that allows them to tailor their attack to bypass the company's security.
People are susceptible to social engineering tricks for all sorts of reasons. Sometimes they are just careless and don't realise what they are doing is dangerous, explains Kamluk. Sometimes it's a question of stick and carrot - fear that they've been caught doing something wrong and must remediate it, or pleasure in getting something for nothing, or viewing salacious content, he notes.
Teaching staff what to do, and what not to do, is key here. Businesses must focus on security education and awareness, Kamluk concludes.