Throughout their careers, many security professionals have come across people who say: ‘I bet you couldn’t hack me!’
In February 2022, Jake Moore, global cybersecurity advisor at the European firm ESET, took this literally and tried to hack several employees of the same company, using exclusively publicly available information, off-the-shelf tools and social engineering techniques. He shared his experience at DTX Europe on October 13, 2022.
Moore’s aim was to use LinkedIn, a professional social media platform with 800+ million users, including 40% who check it daily. “LinkedIn’s InMail message system gets four times more responses than a traditional email. I wondered if I could use it in a phishing way,” he said.
Get the CEO’s Password
He started to create and build a fake profile called ‘Jessica,’ at first without knowing what to use it for. “LinkedIn says they do a lot to make sure the profiles on their platform are not fake, but their algorithm is pretty poor at that. It basically looks for accounts that have been created in succession – not really what you’ve done with them. If you create an account to look real by creating a history, posting, liking things and making connections, you’ll bypass all of LinkedIn checks,” he added.
This is what the cybersecurity advisor did – by downloading a fake picture from the website ThisPersonDoesNotExist, choosing a female-looking face to leverage some people’s tendency to use LinkedIn as a dating site, creating a fake background in the TV industry and using a fake position at the UK national channel ITV.
“Within a month, I got many interactions and people were very friendly with me. She got more followers than me within about two months,” Moore recalled.
At this point, Moore still didn’t have a target: “I had this profile in my back pocket. I don’t know when, but I’m going to use it one day,” he said.
He did so a few months later when the CEO of a company invited him to hack him and do a presentation at their next online event. “I didn’t want to target the CEO directly because he was aware I was going to hack him, so I sent his personal assistant a form requesting an interview for ITV, which she sent to him, and I got him to give me his password.”
Hack the Employees by Flirting
Moore shared his experience at the online event. Following his presentation, the CISO of a big law firm in Bournemouth asked Moore to use his fake female LinkedIn profile to try and do the same with her colleagues.
The CISO gave Moore a list of names and contacts from her firm, and he started adding some on LinkedIn. He then decided to create an Instagram profile for Jessica. “After that, I got 65% of people who accepted my request on LinkedIn and 80% on Instagram.”
Then, he turned Jessica’s TV background into a law one to increase the credibility of her LinkedIn and Instagram requests.
Moore, aka Jessica, then messaged these connections, saying she was looking for a job and thought their company was exciting, but that she was also looking elsewhere and wanted to know what “the vibe” was, Moore explained. “Three people added Jessica and responded very quickly,” he added.
The three, all men, started using flirtatious language. Moore used the situation to his advantage and sent them a link to the job Jessica was supposed to apply to, asking for their opinions.
He played around with them, sending them wrong PDF and ZIP files, which they all clicked.
Suddenly, Moore realized all three had blocked Jessica’s profile.
“Then I got a phone call from the company’s CISO. She asked me: ‘Are you Jessica and are you attacking us via LinkedIn?’ I said I was. She said: ‘Oh my God, what have they done? They told me they did something they shouldn’t have on their work computers.’ That was the result I wanted!”
All three targets could have been hacked, but “at least they reported it to their CISO when they realized,” praised Moore.
“The CISO then told me: ‘You made one vital error: those three men sat together in a row and were all talking about that girl they were chatting with.’ Who knows where it would have stopped if I had targeted different people all over the company.”