Skip to content

Social Engineering: The Uber Hack of September 2022

Published
Nov 2, 2022
By
Gregory Puc'
Victor Aranda
Share

In the current technological landscape for companies, having the top-of-the-line security tools and policies in place does not mean that the company is safe from cyberattacks. These defenses help deter hackers from trying to attack the network through trojan horses, viruses, and denial-of-service (DoS ) attacks (DoS is a cyberattack that is meant to shut down your computer or network, making it not accessible). However, these controls would have little effect if the attacker were to gain access to the systems using social engineering.

What Is Social Engineering?

Social engineering is a concept of manipulation on an individual to try and trick them into doing something that helps the attackers reach their goals. Some common forms of social engineering include phishing emails, phone calls (vishing), and SMS (short message service). Through these means, it is typically a goal to get the account credentials from the target individual. For instance, if the attackers are able to get the account information of an employee, they can gain access to the system and will then try to get as much access as possible. Social engineering has been gaining popularity due to the strength of security on firewalls and other appliances. It has become more difficult for hackers to break into firewalls or computers through brute force or any other techniques. The amount of time and resources needed for those types of attacks are greater than what is needed for a social engineering attack.

How Would You Prevent Social Engineering?

There are controls and policies that companies can implement to help prevent these types of attacks. To name just a few of them, time-based account access control (TAAC), role-based access control (RBAC), and multi-factor authentication (MFA) are commonly implemented.

TAAC policies set a time range on when an account can login to the network. This preventative control helps stop attackers from trying to access the systems during off-hours. RBAC gives specific access to networks and systems based on the users’ role in the company. Lastly, the most known preventive control for social engineering attacks is enabling MFA. MFA has become more popular in many organizations and websites over the last five years. MFA requires the user to authenticate using their credentials followed by a second authentication method called a time-based code. If the attacker was trying to sign into the account with the password they successfully socially engineered from an employee, they still would not be able to gain access to the account due to the requirement of a secondary authentication.

An Example of a Recent Social Engineering Attack

While the previously mentioned controls can help prevent and deter attacks from social engineering, these controls are not bulletproof. In the news in September 2022, it was publicly announced that Uber was hacked through social engineering by which the attacker was able to trick an employee into giving out their login credentials. The New York Times article states “The hacker compromised a worker’s Slack account...(and) was later able to gain access to other internal systems. The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems.” While Uber has a security policy to enforce MFA, the attacker was persistent with the employee sending multiple MFA requests. Once the MFA was approved the attacker was able to compromise the system.

Conclusion and Further Recommendations

As stated earlier, having the most comprehensive security policies and procedures in place does not automatically prevent attacks as the weakest link in any system is the end-user. To help strengthen that link, proper security awareness training is a process that that all companies should implement. Security awareness training can help train end-users to not fall for social engineering techniques, like the Uber hack. Even though MFA was enforced, the end-user should have picked up this behavior and escalated it to the internal IT department.

 

What's on Your Mind?

a man in a suit and tie

Gregory Puc'

View Profile
a man in a suit

Victor Aranda

View Profile

Start a conversation with the team

Explore More Insights

a screen shot of a computer
Article

The Change Healthcare Data Breach and Navigating Your Exposure

Read More
a city with many buildings and streets
Article

Seven Key Benefits of Outsourced Private Equity IT

Read More
a piece of wood with a piece of wood on it
Article

Nine Key Challenges Private Equity Firms Face that IT Outsourcing Can Address

Read More
Article

An Outlook for Technology Trends in 2024

  • Technology
  • Artificial Intelligence
Read More
Article

Top 10 Common Cybersecurity Mistakes in 2023

Read More
a person holding a phone
Article

Securing Your Digital Companions: A Guide to Mobile Device Security

Read More
close-up of hands working on a laptop
Article

A Guide to Cyber Hygiene Best Practices

Read More
a close-up of a computer
Article

Mobile App Building: Tools to Get Started

Read More
a small toy on a keyboard
Article

Building a Secure Organization: 5 Best Cybersecurity Practices for Commercial Construction Firms

Read More
a computer screen with many icons
Article

The Guardian of Our Digital Galaxy: Why Cybersecurity is Non-Negotiable in Today's World

Read More
a view of a city from a window
Article

Unleashing Your Data's Potential: How ETL is Reshaping Finance and Accounting

  • Artificial Intelligence
Read More
a light bulb on a table
Article

Leveraging AI to Assist Consumers with Products and Lifestyle

  • Artificial Intelligence
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe