Is social engineering that effective? Ask an Uber or Rockstar Games employee that question and you’ll likely hear a resounding yes. This effective mode of duping people within a targeted group or business was the method that one hacker used to hit both companies with a breach. Just how effective is it? In 2021, the FBI received 323,972 complaints of social engineering attacks. And there are many more that go unreported.
A teenage hacker known as TeaPot claimed ownership of these attacks. The Uber network was accessed by convincing an employee contractor that they were part of Uber IT and their credentials were needed. They believe those credentials were first found and purchased on the Dark Web. From there, TeaPot tried to log in but was stopped by multi-factor authentication (MFA). TeaPot then contacted the employee through WhatsApp, a messaging platform. They then claimed to be from Uber IT, saying that they needed the employee to approve the MFA request. With Rockstar Games, it was Slack messages that were breached. It is believed that access was acquired through manipulation there.
Losses from a breach aren’t all the same. We often assume it comes in the form of stolen credentials. While this is often the case, in the Rockstar scenario, it was stolen intellectual property. Content from their upcoming game was released which means a loss of revenue. Additionally, the hacker is threatening to release code that would give access to anyone wanting to create pirated versions of the game.
Humans are the access point, so it is through ongoing training that they must learn how to avoid succumbing to an attacker’s tactics. Enabling multi-factor authentication can assist with preventing access, but avoiding leaked credentials in the first place is critical. The Uber breach is a case in point.
Educating your workforce to recognize that they can be targeted through online platforms outside of work systems is part of the process. Humans remain the weakest link in cybersecurity. By taking a multi-faceted approach you can strengthen your human firewall and secure your business.
Are you interested in learning more about how to create a culture of cybersecurity awareness? We’re here to help. Book a meeting with our Principal Consultant, Mike Skinner, here.