One of the cool things about my job is that I get to blue-sky think some crazy ideas and today is was time for the Spartacus Connection Attack. Today started like nothing out of the ordinary. I was working on an engagement for a client, with the express goal of joining their company.
All my usual attack vectors were failing. Their technology security was excellent. While social engineering over the phone and email was out of scope, I questioned the permissibility of a social media attack. The client was happy with that, so I embarked on a journey that resulted in the Spartacus Connection attack. This awareness storey comes from that attack.
Linkedin is a fantastic resource. You can look at who works in a company. What their job role is and their phone numbers. It is a one-stop-shop for the social media attack, and today I tried something different. I became Bob.
I like Bob. He works in IT and the network lead, and he is very well connected. More than 3000 connections. So could I create Bob? It turns out there is nothing on the platform to stop you doing that. I copied all the profile data. The images. The phones. I even went so far as downloading all of Bob’s publications and uploading them to my profile.
Then I got smarter than Bob. With LinkedIn, you can, to an extent, control your profile URL. I noticed Bob’s URL was not his name, so I took it. Now my profile looked more realistic than Bob’s. And then the connection requests started.
Within an hour, I had 200 connection requests. About 30 were from the target company. One of the connections was Bob’s boss.
The end of the day comes along. I am logged into the target company via their VPN using Bob’s user account. The help desk kindly reset his password for me.
I spoke to Bob as I finished; he is a great guy and found the attack amusing even more so as he had warned people about this sort of thing. So allow me to re-tell what Bob had previously warned his peers.
- Not everything on Social Media is what it says it is.
- Never trust connections on any social media platform.
- Only accept requests from your company email or in person.
Stay safe out there. To find out more about our Social Media attacks, check out our Penetration Testing pages.