Mitnick Security Blog - Cybersecurity News and Articles

The Top 5 Most Famous Social Engineering Attacks of the Last Decade

Written by Mitnick Security | Oct 29, 2020 6:03:16 PM

There’s something both humbling and terrifying about watching industry giants like Twitter and Target fall victim to cyber attacks.

It's an important reflection for smaller-scale companies who’ve faced a breach of their own, graciously reminding them that even the big dogs fall for the bad guy— and a haunting reminder that even the most elite security defenses can be compromised. 

In this round up, we’re taking a look at some of the top hacks of 2010-2020, calling out five examples of large brands making small mistakes that cost them greatly. These attacks stand out for their severity and notoriety and we hope that these brand’s blunders may become valuable lessons for improving your company’s own cybersecurity. 

2013 Target Third-Party Breach

An astounding 41 million Target credit card holding customers were affected by the retail king’s disruptive 2013 cyber attack. Through a malware attack, bad actors gained access to the names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data of Target store credit card holders. Later investigation found that another 60 million Target customers without store credit cards were also affected, according to USAToday.

Investigators traced the customer data breach back to security weaknesses from a third-party vendor who was compromised by hackers. From there, the cyber criminals used the third-party’s credentials to infiltrate Target’s systems. 

After the two-year class-action lawsuit settlement finalized in 2015, Target agreed to pay up to $10,000 to customers who suffered losses as a result of the data breach, shelling out $18.5 million total in the settlement. A costly oversight for both the company’s bottom line and brand reputation. 

Lesson Learned

Many major corporations work with third-party companies for tools and management. When it comes to cybersecurity, you don’t just have your own business’ security policies and safeguards to worry about; you also have to screen those who handle your data for their vulnerabilities.

When starting a new relationship with a vendor or partner, ask to review their current security policies and procedures and have a trusted security professional access their risk threshold. This is an excellent practice to upload annually as well for long-term third-party providers to ensure they are keeping up-to-date with ever-evolving cyber risks.

2020 Twitter Bitcoin Scam

One of this year’s recent cyber attacks was the Twitter Bitcoin scam, proving that not even the social media giants are impervious to cyber breaches. 

Prominent Twitter users with the trusted blue verification checkmark Tweeted “double your Bitcoin” offers, telling their followers that they would double donations made on a select link. Well-respected leaders, celebrities, and big brands like former U.S. President Barack Obama, media billionaire Mike Bloomberg, tech creators Apple, and more were among the Twitter accounts affected. Because the accounts targeted had millions of followers, the bad actors received hundreds of contributions within mere minutes— reportedly totaling over $100K in Bitcoin, according to The BBC.

But how did cybercriminals breach so many high-profile users’ accounts in one swoop? Through a series of highly-targeted social engineering attacks. Bad actors manipulated Twitter employees to infect them with malware. From there, they made their way through Twitter’s internal systems and gained administrative access to a wealth of verified users’ passwords.

Lesson Learned

Twitter employees were the company’s biggest weakness, falling for social engineering exploits that allowed the bad actors a backdoor into highly-sensitive login information. Take some time to learn more about how social engineers trick employees and educate your team on social engineering red flags.

Since the attack, Twitter has vowed to make several crucial vulnerability improvements, including a heavy focus on heightening their detection and monitoring capabilities, access management processes and authentication systems, and more—  making the link above a worthwhile read.

2014 Sony Pictures Phish

Sony Pictures Entertainment found itself the bullseye of the North Korean government after its launch of a new movie, "The Interview." North Korean individuals were in outrage over the Sony film, with a comedic plot about the assassination of the North Korean leader, Kim Jong Un, making the film production company a purposeful target in social engineering exploit.

Bad actors sent phishing emails to Sony executives, posing as Apple and asking the C-suite to verify their Apple IDs. Once the employees clicked on the spoofed link to the phony verification page and entered their credentials, the cyber criminals had what they needed. One executive used the same password for his Apple ID as he did his Sony account, giving the hackers all they needed to breach the company infrastructure. 

The bad actors digitally dug through Sony’s systems and stole confidential documents, which they leaked online, including details of recent film productions and private employee data, according to The Washington Post.

Lesson Learned

Controversial content can be triggering to certain audiences, and Sony’s failure to consider how a comedy about a foreign country might play out ultimately made them a prime target for revenge. When pushing out new content, be sure to consider how your audiences could react to it. If neutrality is hard to achieve, weigh the risks of a bold launch with the help of a risk analysis.

The second lesson lies in reflection on the highly-targeted social engineering phishing scam that tricked Sony’s C-suite. We recommend requiring executives— not just employees— to undergo extensive security awareness training and social engineering strength testing to improve their understanding of clever pretenses and hacking techniques used by bad actors.

2016 US Presidential Election Email Leak

One of the top hacks of the decade was the Democratic campaign’s email leak, which took to the Internet in mass hysteria. 

Bad actors from Russia sent a series of spearphishing emails to various individuals in The Democratic National Convention’s network, posing as Google warning recipients of suspicious activity on their Google accounts. The social engineering email shortened the link using a Bitly URL, hiding its true redirect path. 

Once the shortened link was clicked, the webpage asked recipients to change their password. After targets clicked the spoofed link and entered their credentials, the cyber criminals gained full access to their Google account, including their Gmail access, which allowed them to scrub thousands of emails with sensitive information pertaining to the Democratic candidate Hilary Clinton’s campaign. 

Lesson Learned

Even if you know to think before you click, be cautious of shortened URL links. Shortened links, such as those created by services like Bitly, don’t easily allow you to see where a URL is being redirected to, increasing your risk of malware infection. Shortened URLs also cannot be blocked by a firewall, as the URL cannot be analyzed. 

There are few circumstances where a reputable company will ever send you a shortened URL, so if you see a Bitly link, proceed with caution— it could be a malware trap.

2013 Yahoo Customer Account Breach

A few years back, Yahoo had every single customer account compromised in a social engineering exploit. A remarkable three billion users had their Yahoo’s credentials exposed, some of which were sold on the dark web with the intention of launching further attacks on individuals compromised. Because of its scale and exposure of the data, this is often considered one of the worst cyber attacks of the 2000s.

The attack occurred as the result of an error by a high-privilege engineer, who clicked into a phishing email. Noticing a theme here with these top hacks of the decade? Phishing scams live large and cause immense damage. 

What makes this attack worse is that Yahoo underestimated the number of accounts breached, reporting only 500 million affected. It wasn’t for another four years that it was revealed the true extent of the exploit: that literally everyone who had an account at the time of the attack was affected. Obviously, this was far too late to protect affected users from possible repercussions of the breach.

Lesson Learned

Once again, it’s clear that social engineering tactics, specifically phishing schemes, are something to be taken extremely seriously. This popular form of cyber attack takes advantage of human’s natural inclination to trust, fooling individuals into granting bad actors access to entire digital infrastructures. 

More Lessons from Cyber Breach Lawsuits

In our other blog, 4 Lessons Learned from the Top Data Breach Lawsuits & Class Action Settlements, we explore the repercussions of four other costly breaches and detail valuable takeaways from the companies’ mistakes.

Click the link above to discover lessons from the following attacks:

  • Equifax, 2017
  • Uber, 2016
  • British Airways, 2018
  • Canva, 2019

Reduce Your Risk Threshold in 5-½ Steps

Don’t make the same mistakes these major brands did. Use the lessons learned to strengthen your security defenses, with the right help.

Luckily, we’re here to demystify what it means to mitigate your risks— in just 5-½ easy steps. Our free guide breaks down a few of the most important improvements you can make, helping to dramatically improve your security posture.

Download the Steps to Avoid Cyber Threats ebook, today.