Social Engineering: The Uber Hack of September 2022
November 02, 2022
By Gregory Puc’ and Victor Aranda
In the current technological landscape for companies, having the top-of-the-line security tools and policies in place does not mean that the company is safe from cyberattacks. These defenses help deter hackers from trying to attack the network through trojan horses, viruses, and denial-of-service (DoS ) attacks (DoS is a cyberattack that is meant to shut down your computer or network, making it not accessible). However, these controls would have little effect if the attacker were to gain access to the systems using social engineering.
What Is Social Engineering?
Social engineering is a concept of manipulation on an individual to try and trick them into doing something that helps the attackers reach their goals. Some common forms of social engineering include phishing emails, phone calls (vishing), and SMS (short message service). Through these means, it is typically a goal to get the account credentials from the target individual. For instance, if the attackers are able to get the account information of an employee, they can gain access to the system and will then try to get as much access as possible. Social engineering has been gaining popularity due to the strength of security on firewalls and other appliances. It has become more difficult for hackers to break into firewalls or computers through brute force or any other techniques. The amount of time and resources needed for those types of attacks are greater than what is needed for a social engineering attack.
How Would You Prevent Social Engineering?
There are controls and policies that companies can implement to help prevent these types of attacks. To name just a few of them, time-based account access control (TAAC), role-based access control (RBAC), and multi-factor authentication (MFA) are commonly implemented.
TAAC policies set a time range on when an account can login to the network. This preventative control helps stop attackers from trying to access the systems during off-hours. RBAC gives specific access to networks and systems based on the users’ role in the company. Lastly, the most known preventive control for social engineering attacks is enabling MFA. MFA has become more popular in many organizations and websites over the last five years. MFA requires the user to authenticate using their credentials followed by a second authentication method called a time-based code. If the attacker was trying to sign into the account with the password they successfully socially engineered from an employee, they still would not be able to gain access to the account due to the requirement of a secondary authentication.
An Example of a Recent Social Engineering Attack
While the previously mentioned controls can help prevent and deter attacks from social engineering, these controls are not bulletproof. In the news in September 2022, it was publicly announced that Uber was hacked through social engineering by which the attacker was able to trick an employee into giving out their login credentials. The New York Times article states “The hacker compromised a worker’s Slack account...(and) was later able to gain access to other internal systems. The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems.” While Uber has a security policy to enforce MFA, the attacker was persistent with the employee sending multiple MFA requests. Once the MFA was approved the attacker was able to compromise the system.
Conclusion and Further Recommendations
As stated earlier, having the most comprehensive security policies and procedures in place does not automatically prevent attacks as the weakest link in any system is the end-user. To help strengthen that link, proper security awareness training is a process that that all companies should implement. Security awareness training can help train end-users to not fall for social engineering techniques, like the Uber hack. Even though MFA was enforced, the end-user should have picked up this behavior and escalated it to the internal IT department.