There’s something both humbling and terrifying about watching industry giants like Twitter and Uber fall victim to cyber attacks.
It's an important reflection for smaller-scale companies who’ve faced a breach of their own, graciously reminding them that even the big dogs fall for the bad guy— and a haunting reminder that even the most elite security defenses can be compromised.
In this round up, we’re taking a look at some of the top social engineering attacks in which small mistakes cost these businesses greatly. These attacks stand out for their severity and notoriety and we hope that these brand’s blunders may become valuable lessons for improving your company’s own cybersecurity.
5 Top Social Engineering Attacks
1. 2016 US Presidential Election Email Leak
One of the top hacks of the decade was the Democratic campaign’s email leak, which caused mass hysteria.
Bad actors from Russia sent a series of spear phishing emails to various individuals in The Democratic National Convention’s network, posing as Google warning recipients of suspicious activity on their Google accounts. The social engineering email shortened the link using a Bitly URL, hiding its true redirect path.
Once the shortened link was clicked, the webpage asked recipients to change their password. After targets clicked the spoofed link and entered their credentials, the cyber criminals gained full access to their Google account, including their Gmail access, which allowed them to scrub thousands of emails with sensitive information pertaining to the Democratic candidate Hilary Clinton’s campaign.
Social Engineering Attack Lesson Learned
Even if you know to think before you click, be cautious of shortened URL links. Shortened URLs also cannot be blocked by a firewall, as the URL cannot be analyzed.
There are few circumstances where a reputable company will ever send you a shortened URL, so if you see a Bitly link, proceed with caution— it could be a malware trap.
2. 2020 Twitter Bitcoin Scam
The Twitter Bitcoin scam, proved that not even the social media giants are impervious to cyber breaches.
Prominent Twitter users with the trusted blue verification check mark Tweeted “double your Bitcoin” offers, telling their followers that they would double donations made on a select link. Well-respected leaders, celebrities, and big brands like former U.S. President Barack Obama, media billionaire Mike Bloomberg, tech creators Apple, and more were among the Twitter accounts affected. Because the accounts targeted had millions of followers, the bad actors received hundreds of contributions within mere minutes— reportedly totaling over $100K in Bitcoin, according to The BBC.
This account takeover was done through a series of highly-targeted social engineering attacks. Bad actors manipulated Twitter employees to infect them with malware. From there, they made their way through Twitter’s internal systems and gained administrative access to a wealth of verified users’ passwords.
Social Engineering Attack Lesson Learned
Twitter employees were the company’s biggest weakness, falling for social engineering exploits that allowed the bad actors a backdoor into highly-sensitive login information. It’s important to learn more about how social engineers trick employees and educate your team on social engineering red flags.
3. 2022 Attack on Uber
A threat actor used Uber’s Internal Slack Platform to impersonate an employee and gain internal network access. They posted an explicit image and it’s believed that they escalated privileges and viewed sensitive information. This threat actor admitted their conquest and said they used social engineering to easily penetrate Uber’s security protocols.
Social Engineering Attack Lesson Learned
The threat actor — who goes by the name TeaPot — was only eighteen, but he managed to fool an employee into providing their login credentials. The lesson learned here is that no application or platform should be taken for granted as an access point. Organizations should consider multi-factor authentication (MFA) for their internal platforms and applications.
4. 2022 Attack on Rockstar Games
The social engineering attack on Rockstar Games was similar to what happened to Uber, and it happened just a few days after Uber’s fiasco by the same threat actor. Once inside the internal Slack channel of Rockstar Games, TeaPot claimed he was able to access code for the then unannounced sequel to the game, Grand Theft Auto.
Social Engineering Attack Lesson Learned
Given the circumstances, the lesson learned here is that threat actors may not stop once they breach the defenses of their original target. In fact, one successful social engineering attack may encourage the threat actor to try for another company using the same techniques that worked in the original attack.
5. 2022 Attack on Twilio
The threat actor gained access to private customer and employee account information by stealing an employee password. This was done through a broad-based social engineering attack that involved sending fake IT text messages to Twilio employees.
Social Engineering Attack Lesson Learned
The social engineering attack on Twilio appears to have been a targeted phishing attack. The lesson learned is that email messages are not the only way employees can encounter phishing attacks. Phishing can occur through social media platforms, text messengers, and other forms of digital communication.
Don’t Become a Victim of a Social Engineering Attack
These major companies fell prey to social engineering attacks despite thinking that their security standards were enough. The fact that three of the top social engineering attacks listed occurred in 2022 shows that threat actors are increasing their efforts. Use the lessons learned to strengthen your security defenses, with the right help.
Mitnick Security is here to demystify what it means to mitigate your risks— in just 5-½ easy steps. Our free guide breaks down a few of the most important improvements you can make, helping to dramatically improve your security posture.
Download the “5 ½ Easy Steps to Avoid Cyber Threats” ebook to start your security hardening journey.