What are you giving away on social media?

How one overconfident CEO and an eagre PA taught an entire business an important lesson in information security

This article originally appeared in June's edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.

It’s not every day you get challenged to hack a business leader. But when Jake Moore, a cyber security specialist at ESET, was invited to a debate with the CEO of a firm in Dorset on internet security, that’s exactly what happened.

Advertisement - Article continues below

“I bet you can’t hack me,” the CEO said, laying down the gauntlet ahead of the debate.

‘Oh, really?’ Moore thought, raising an eyebrow. 

He accepted, but suggested that the best way to get the debate going was to try and hack his business. This would give him three weeks to plan and execute an attack on a man he’d specifically told was a target. 

“For some reason, I got really cocky at this point,” Moore says. “I said, ‘I bet I could even get your shoe size’.”  

And so began a cautionary tale involving a weak password, a gullible personal assistant and the size of an executive’s feet. 

LinkedIn Catfish

Moore created a fake LinkedIn profile, using a generated image of an attractive woman, which he suggests is the quickest way to make it look legitimate. The account had about 2,000 followers, mainly men, in about two weeks, which would seem to prove his point. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Next, Moore filled out the profile’s employment history, adding lots of fantastic sounding companies and listing ITV as ‘her’ current employer. He sprinkled in some personal info too, listing Bournemouth University – where he actually studied – as her alma mater. As he explains later, these bits of information are tailored to the victim. 

Now, with the CEO expecting something suspicious to come through any of his inboxes, Moore decided to send a LinkedIn request to his personal assistant instead. It was accepted, straightaway. He followed up with a message: “I work for ITV and our production team are planning a programme on how digital marketing companies are coping in the wake of GDPR. We're keen to feature vibrant companies such as yours to jazz up the subject and you guys look ideal. I see you're in Bournemouth too. I studied at Bournemouth University and would love an excuse to visit again…”

Advertisement - Article continues below

The message, Moore explains, not only has the bait of TV exposure but a personal influence; “Hey, we’re both from Bournemouth”. He isn’t just making a LinkedIn connection, he’s making a friend too. He rounds off the email with a note of urgency: “If it’s something you're interested in, let me know ASAP.” 

The PA replied quickly, saying the company would love to, believing it’s an opportunity to raise its profile, while failing to do any background checks other than reading the LinkedIn profile. Moore replied back, asking if he could send through an application form for her boss to fill in. “Yes, of course,” she said. 

“So he's there thinking Jake's coming for me, I'm not touching a mouse,” Moore says. “However, the PA probably storms into his office, ‘you're never gonna guess what: We're going to be on TV’!” 

Putting your foot in it

With Google Forms and some ITV Production Team graphics, Moore created a believable questionnaire. He put all the various details you would expect to see: Name, address, date of birth, and so on, knowing it’s going to be filled in because the unsuspecting CEO is thinking ‘who cares, I’m going to be famous’.  

Advertisement - Article continues below

So he added more, sexual orientation, disability, ethnic origin and then, shoe size. He tagged it as ‘sponsored by Clarks’, making it seem like a product placement spot. He also asked for a password to set up an ITV.com account, with an asterisk – compelling the victim to put one in.

Related Resource

The IT Pro Podcast: The secret life of hackers

What it’s really like to be a professional penetration tester

“No joke in about 15 minutes I get a notification that says someone has entered the details,” Moore says. “I kid you not, his password was ‘Tottenhamhotspurs84’. If you were going to start researching someone on the internet where would you start? Probably with someone's Facebook account.”

“I’m not their Facebook friend so I can only see limited things but I found out he was a Tottenham supporter from seeing his profile photos, which are public, and a public post saying ‘happy 30th birthday’ which told me that he was 30-years old in 2014 – so born in 1984.”

Advertisement - Article continues below

A few weeks later, Moore was up on stage with the CEO in front of an audience of his employees. As he started explaining the fake LinkedIn account he could see his mark turning red, clearly beginning to piece it together. Moore had the room in stitches as he revealed all the information he was secretly able to extract.  

“The thing that I still feel slightly bad about was after I released it all and everyone had a good old laugh, the room fell silent and then there was a voice at the back. It was the personal assistant,” he says. 

“I told my mum I was gonna be on TV!

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020