After several months of investigation, the FBI has revealed that the method used to access the iCloud accounts of several hundred celebrities in “the Fappening” was a simple phishing campaign. No vulnerability in the Apple iCloud accounts, but one more example of the effectiveness and danger of social engineering.
Social engineering consists of pretending to be a person or a service in order to obtain information. Although this method is nothing new, it is becoming ever-easier to carry out, due to the constant daily growth of our digital footprint.
The targets are also becoming clearer: in recent months, a cybercriminal called Cracka succeeded in stealing the e-mail accounts of CIA Director John Brennan and the American intelligence chief James Clapper. He also managed to divert Clapper’s telephone line.
The Art of Deception
The era of “mass mailing”, hoping that an inexperienced Internet user will click on a phishing link or respond to a message to organise the will of a generous donor, is becoming a thing of the past.
Today’s trend lies in the finesse of execution, with a real effort on the details. This was the case in the Fappening, where an e-mail appeared to emanate from the Apple security department and stated:
“Your Apple ID was used to login into iCloud from an unrecognized device on Wednesday, August 20th, 2014. Operating System: iOS 5.4 Location: Moscow, Russia (IP=220.127.116.11) If this was you please disregard this message. If this wasn’t you for your protection, we recommend you change your password immediately. In order to make sure it is you changing the password, we have given you a one-time passcode, 0184737, to use when resetting your password at http://applesecurity.serveuser.com/. We apologize for the inconvenience and any concerns about your privacy. Apple Privacy Protection.”
The message, the verification URL and the address of the sender (firstname.lastname@example.org) are quite convincing, whereas in fact they are false: the link redirects to a phishing page that has nothing to do with Apple (the real domain name being serveuser.com).
Bluff, the precious ally
It is sometimes not necessary to a be a cybersecurity whizz-kid to penetrate a network or to take over an account, even if it belongs to a celebrity.
The simplicity of the technique used by the cybercriminal Cracka to hack the e-mail accounts of the American Directors of Intelligence and the CIA is astonishing.
In both cases, the cybercriminal first passed himself off as a “technical assistant” to obtain information on the targets from their colleagues. Once the information had been obtained, he called the telephone company (Verizon in both cases), this time adopting the identities of the victims themselves. The information obtained previously was sufficient to reset the password by telephone.
Putting a brake on social engineering
It is important for a company to make its employees and workers aware of the various social engineering techniques, in particular its top management, because of the risk of spear phishing, and the administration department, due to the risk of impersonation fraud.
A final recommendation is to be careful with regard to the information divulged, particularly via social media.
Unfortunately, it is not always possible to control information concerning us or the company on the Internet. Numerous documents on the life of the company and its employees are indeed freely accessible and not controllable: surveillance of these perimeters can attenuate the risks linked to social engineering.