The FBI and Secret Service are investigating reports that the private email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson were “hacked.”
So, how did the hacker do it? Hacking is malware, right? This case demonstrates that hacking is not malware. Hacking is the theft of credentials. Credentials can be stolen with malware. However, credentials can be stolen in other ways. This hacker is talking to the press. He told The New York Post that the way he stole the credentials was “social engineering.” Rather than attacking systems, social engineering manipulates people. The hacker wanted the login credentials. In order to get the credentials of Director Brennan, the hacker tricked Verison employees into giving him information about Director Brennan. Using that information, the hacker tricked AOL into resetting the password and providing the password to the hacker.
A favorite hacking technique, which is used extensively by Russian and Chinese “hackers” uses a different form of social engineering termed “spearphishing.” In spearphishing the attacker sends an enticing email to the victim which, when the email is acted upon, compromises the users credentials. Spearphishing is the problem that Secretary Johnson was addressing when he said,
What amazes me when I look into a lot of intrusions, including some really big ones by multiple different types of actors, it often starts with the most basic active spear-phishing where somebody is allowed in the gate and penetrates a network simply because an employee clicked on something he or she shouldn’t have.
How do you keep people from clicking on something he or she shouldn’t have? That is where SP Guard from Iconix comes into help defend against spearphishing by providing employees with visual trust indicators, helping them tell real emails from clever attacks.