Tapping information found online at sites such as Facebook and LinkedIn, an anti-hacking specialist has successfully taken over the entire IT infrastructure of a client bank.
SNOsoft - a research team at cyber-security specialists Netragard - was hired by a "mid-sized" bank to carry out an advanced stealth penetration test to see how far it could worm its way into the client's IT infrastructure without being detected.
In a blog, the firm's boss, Adriel Desautels, says his firm gathered valuable information from Facebook, mapping relationships between employees, vendors, friends and family. The social networking site also helped identify key people in accounts receivable/accounts payable (AR/AP) at the bank.
In addition, LinkedIn and job sites such as Monster and Dice, where IT positions at the bank were advertised, provided "interesting and useful technical information" on things such as intrusion detection technologies and operating systems for desktops and servers.
To gather extra information, the SNOsoft team applied for an IT security job and used the subsequent screening call to pump the bank for details on its anti-virus technologies and policies on controlling outbound network traffic.
Based on the intelligence gathered, SNOsoft moved to penetrate the bank's systems by embedding an exploit into a PDF document and sending it to the victim's AR/AP department from its trusted IT services provider.
The PDF was sent, undetected by anti-virus software, and was opened by a bank employee, compromising their computer. Once it had control of the computer, SNOsoft installed its own back-door technology and deployed a suite of tools before scoping out the internal network. Eventually the team cracked the bank's passwords and gained access to desktops, servers and Cisco devices used by the bank.
Says Desautels: "In summary, we were able to penetrate into our customers IT Infrastructure and effectively take control of the entire infrastructure without being detected."