This will be another long post.
A couple of weeks ago, you may have read that the Syrian Electronic Army hacked into Forbes and posted a bunch of usernames and passwords. What you may not know is that Forbes has been fairly transparent in describing how it happened and how they plan to mitigate going forward. This is contained in a series of articles they posted on their website.
To make a long story short – they were phished.
From: How the Syrian Electronic Army Hacked Us: A Detailed Timeline of Events, all highlights are mine:
Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.
Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.
In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”
In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.
This is an effective strategy and it was part of a two pronged attack. Someone from Forbes got an email that is somewhat related to what they do, and they may have even received a link like this:
Hey, what do you think about this? Is it true?
http://www.article-to-some-important-new-site.com/article/cgi?=randomstuff
If you hover your mouse (if reading this on a laptop or desktop) you will see that the displayed http link is not the same as where the link actually takes you.
The linked page asks the user to enter their credentials. Being prompted to enter your credentials at work is so common that many people don’t think twice about it. This person was doing their job and so far everything more-or-less fits with their general work flow. It’s not exactly congruent, but close enough.
Once inside, the hackers used another effective tactic – they moved laterally. They sent spam from the compromised account to other users in an attempt to gain access to important data. While the spam filter didn’t work the first time because it came from the outside, it definitely wouldn’t work when sent from the inside because most environments assume that the inside is secure. People inherently know that it isn’t, but it’s close enough.
Until it isn’t.
In an interview with the attackers, Forbes posted a follow up article by Kashmir Hill about why they attacked Forbes. According to a representative not involved in the attacks but close to those who were:
He says that Forbes editorial content on Syria made it a target, pointing to recent articles about a hacker who claimed to find porn on Syrian secret police’s computers and an article decrying the SEA’s hack of the Marines’ website. “This is pure propaganda,” he said. “This is a message, we will not tolerate lies.”
In other words, this was an episode of hacktivism and resembles that 2007 DDOS attacks on the government of Estonia by Russian youth angered by the Estonian government taking down a Russian World War II memorial.
I want to make three points about this incident:
- This was a well-executed social engineering attack.
![image]( "image")
When I say “well-executed”, what I mean is that all the pieces of the puzzle were done with minimal suspicion.
- The web page where the user entered their credentials looked like a valid login page
- The phishing email didn’t contain suspicious language (i.e., grammatically correct)
- The phishing email was relevant to the target
- The landing page was hosted on a compromised server
- The phishing email was sent from a compromised server that had not previously sent high volumes of abusive content
In other words, there was great deal of care taken by the attacker to disguise their tracks, and it would be difficult for the average consumer of email to detect this without a high level of vigilance (i.e., working in the security industry, receive lots of education, etc.) - People in the security industry are very smug about their own non-susceptibility to fall for scams relative to others, but shouldn't be
![image]( "image")
This is the point that prompted me to write this post. Forbes is not the first company to have something like this happen to them. People are targeted all the time. Yet there are people in the security industry – people I have personally talked to – who say that the people who clicked the link and entered their credentials are “idiots.” When I challenged them on this point, they dug in their heels and reiterated “Nope, they’re idiots.”
The idea is that only an “idiot” would fall for something so obvious and do something so careless like entering their credentials on a web page that looks like their regular corporate login page.
This strongly irritates me because the average consumer is not overly security aware but they do have a basic awareness. People know about bad passwords and poor security habits, they just don’t always follow them. In the Forbes case, the user was aware but made a poor judgment. The problem is that the average consumer does not have computer security awareness drilled into them over and over again to internalize these behaviors.
What irritates me is that while we in the security industry complain about consumers’ poor security habits despite a lack of education, but what does it say about us when we ourselves have poor health habits? For example:
* We all know too much sugar is bad for us. It makes us gain weight and is bad for our teeth. This is reinforced almost every day. How many of us eat too much sugar? And junk food in general?
* We all know that an inactive lifestyle is very bad for us. Yet how many take steps to ensure we get our 10,000 walking steps per day? Or try to alleviate sitting for 6-8 hours per day like the typical office worker?
* We all know that staring at computer screens is bad for our posture, our muscles, and our eyes. Yet we do it anyway in spite of health advice that tells us not to.
* We all know that we consume too much energy in the first world. Yet how many of us make sacrifices to reduce our energy consumption without prompting from anyone?
In other words, the average consumer makes mistakes in a very narrow set of circumstances. Yet the same people who call consumers “idiots” for making a bad choice in spite of their lack of knowledge make bad choices every single day in their own lives in spite of an abundance of knowledge.
And that bothers me because it is a double-standard and we should know better. - Criticizing others for falling for scams makes a Fundamental Attribution Error – not accounting for the situation
From Wikipedia:
”The fundamental attribution error is people's tendency to place an undue emphasis on internal characteristics to explain someone else's behavior in a given situation, rather than considering external factors.
For example, consider a situation where Alice, a driver, is about to pass through an intersection. Her light turns green and she begins to accelerate, but another car drives through the red light and crosses in front of her. The fundamental attribution error may lead her to think that the driver of the other car was an unskilled or reckless driver. This will be an error if the other driver had a good reason for running the light, such as rushing a patient to the hospital. If this is the case and Alice had been driving the other car, she would have understood that the situation called for speed at the cost of safety, but when seeing it from the outside she was inclined to believe that the behavior of the other driver reflected their fundamental nature (having poor driving skills or a reckless attitude).”![image]( "image")
Thus, from my point #1, this was a well-executed phishing attack. Saying other people are “idiots” fails to consider the circumstances in which this person clicked the link:
- She was an editor who is asked to comment on articles like this regularly
- She got an article and was asked to comment
- She has to login to pages regularly
- She doesn’t normally see spam in her inbox
- She is used to obvious spam like “Get your free Viagra” or something similar
Security professionals have what I call an “empathy gap” where they are unable to see the situation from the average user’s perspective. It is obvious to us but it is not obvious to others.
However, in my own life, there are many things that are not obvious to me:
- I don’t know exactly how my furnace heater works (I paid a professional $800 to fix it this morning)
- I don’t know exactly how the plumbing in my house works
- I don’t understand the medical billing system or what many of the words mean when a doctor explains to me what is wrong with me
- I don’t fully understand exactly how all the parts of my car work together
When I look at myself, I am an expert in almost nothing in life. Because of this, I need to empathize with the average computer user who has as little expertise as I do in almost everything as they do in my field. Were they really careless? Or am I misjudging them due to cognitive bias?
