The 10 Worst Social Engineering Attacks 

by Jan 24, 2021Security

High-profile cyberattacks have continued to make headlines in recent weeks, particularly after the massive SolarWinds hack that infiltrated federal agencies and major tech companies.

While the nature of these attacks appears highly sophisticated, it’s important to remember that most day-to-day cyberattacks use a very low-tech method to breach secure networks: user deception.

One of the most serious cyber threats that organizations face today is social engineering. In a social engineering attack, hackers fool users into providing their login credentials or other sensitive information in order to steal data, steal money or lay the groundwork for future attacks.

Most commonly, hackers achieve this criminal activity by using phishing scams: fake emails and login pages that are designed to look legitimate. Once users enter their credentials into these pages, the hackers capture the data. With the right access, hackers can access the most secure systems at any organization, infecting them with malware to wreak further havoc, faster, across an entire network.

With that being said, let’s look at 10 of the worst social engineering attacks of all time.

 

1) Twitter

Remember that weird time Jeff Bezos asked his Twitter followers for $1,000 charitable donations?

On July 15th, 2020, a massive but short-lived hack took place on the social media platform, which stemmed from a social engineering attack. It affected the accounts of several high-profile people and companies, including former president Barack Obama, president Joe Biden, Elon Musk, Kim Kardashian, Jeff Bezos, Uber and Apple. Ultimately around 130 accounts were accessed by the criminals.

The attack leveraged a form of social engineering known as vishing, or voice spear phishing. Employees received phone calls from hackers purporting to be IT personnel, who deceived the users into providing their login credentials for Twitter’s internal tools. Those tools enabled the hackers access to gain control of the high-profile accounts, which they used to launch a bitcoin scam. In just a few hours of fake tweets, these thieves were able to come away with over $118,000 in bitcoin.

 

2) SolarWinds

There are still endless lingering questions about how hackers orchestrated this massive attack on federal agencies via a software update from SolarWinds. But many experts believe “there is a reasonable chance that it will turn out to be through a well-known vulnerability” such as a phishing scheme.

In what may be the worst cyberattack against U.S. systems in history, Russian hackers were able to breach the email servers of the United States Treasury Department and other government agencies, including Commerce and Homeland Security.

Microsoft helped to quickly narrow down where the hack originated from, pinpointed it to the main computer network management software servers at Texas-based SolarWinds, which many of these agencies and other organizations use. Overall, this attack was able to infiltrate more than 40 government agencies mostly based in the United States, but some were in other countries like Spain, Mexico, Belgium and Canada.

 

3) Toyota Motor Corporation

One of the biggest car manufacturing companies in the world, Toyota Motor Corporation, was the target of a 2019 financial hack that stemmed from a social engineering attack.

Hackers were able to trick high-level financial officers into changing some bank account numbers leading to a wire transfer. The hackers were able to get their hands on an enormous amount of money, $37 million. This was all conceived and performed with a simple email scam called a “business email compromise,” or BEC, which is essentially a slightly more sophisticated phishing scam targeted to businesses.

Experts speculate that the hackers probably posed as executive officers within the Toyota corporation.

 

4) Barbara Corcoran of Shark Tank

Shark Tank is a popular NBC TV show that features several well-known mega-mogul entrepreneurs giving budding companies a chance to expand their businesses. One of those now celebrity entrepreneurs is Barbara Corcoran. During a social engineering scam in early 2020, hackers successfully deceived her team into sending a payment of $400,000 to hackers.

The hackers passed themselves off in an email as her assistant to her accountants. They said that the money was needed for a renewal of an investment related to real estate property. The crime was discovered when the accountant sent a follow-up email to the real assistant who said that she didn’t request any such payment.

 

5) The Democratic Party

In 2016, the Democratic party was the victim of an email leak that continues to be the subject of political controversy today. But many people forget that this leak stemmed from a social engineering attack. By accessing the email accounts of several members of Clinton’s campaign team and the Democratic National Committee during the height of her presidential run, hackers were able to obtain a trove of otherwise private communications.

Hackers accessed around 150,000 emails from 12 separate accounts. The hackers infiltrated the account with a relatively simple phishing scam in which they got staffers to change their passwords by pretending to be Google.

 

6) Sony Pictures

In 2014, movie studio Sony Pictures was the target of a social engineering attack carried out by hackers based in North Korea. At the time, North Korea was upset at Sony for an upcoming movie, “The Interview,” poking fun at North Korea’s leader, Kim Jung Un. So as vengeance, hackers launched a spear-phishing campaign that fooled Sony executives into revealing their credentials for various accounts. Experts say the attack may have initially begun by convincing users to enter their Apple ID login information, which was then used to access users’ other accounts.

Ideally, North Korea wanted Sony to stop the release of the movie. That didn’t happen even though the hackers were able to get a ton of personal information about the company and their employees, racking up millions of dollars in financial losses for the studio. In 2018, a North Korean programmer named Park Jin Hyok was charged for the attacks.

 

7) Target

One of the largest “big box” stores in the world had a major data breach in 2013. Hackers were able to get a hold of the payment information for at least 40 million customers from Target. It was one of the largest breaches of personal financial data in history.

While the breach made big headlines at the time, people often forget that it stemmed from a phishing scheme.

Cyber criminals gained access to Target’s systems via one of its vendors in Pennsylvania. A malicious email was opened by an employee at Fazio Mechanical, an HVAC company that had access to Target’s network. This allowed the hackers to deploy malware that quickly copied all of the credit and debit card information from each customer. The attack affected customers at nearly all of its stores across the U.S. (and later forced the company to pay $18.5 million in legal settlements).

 

8) RSA SecurID Cyber Attack

RSA is a security company that was the target of a social engineering attack in 2011. The way this attack worked is that a bunch of employees received a phishing email containing malware-laced file attachments. So as employees simply opened up the attachments, thinking they were legitimate, they were exposing themselves to the hackers with backdoor access.

The company, which provides two-factor authentication tools and other security solutions, ultimately had to pay millions of dollars in lawsuits because of this breach.

 

9) Yahoo

In 2014, Yahoo was the subject of a huge cyberattack that affected millions of their users – though the full scale of the attack didn’t become public until 2016.

When it occurred, it was considered one of the biggest social engineering attacks of all time, affecting 500 million Yahoo accounts. (However, news later surfaced of a second and much larger breach, affecting 3 billion Yahoo accounts.)

According to CSO, “A single click was all it took to launch one of the biggest data breaches ever.” Hackers sent a spear-phishing email to a Yahoo employee and successfully captured his network credentials. This ultimately gave the hackers access to Yahoo’s user database and the Account Management Tool, which is used to edit the database. The hackers came away with usernames, passwords, birth dates, recovery emails and security questions. Having this kind of information allowed them to gain access to many customers’ sensitive information for financial gain.

As with many phishing scams, the usual goal of hackers is not to individually exploit each user’s stolen data, but to sell that information on the dark web, where other cybercriminals can use it to launch their own attacks.

 

10) The CIA and Kane Gamble

The CIA, along with intelligence agencies around the world, were the hacking target of one very smart person, Kane Gamble. As a teenager, Gamble was able to access not only the CIA, but the FBI and Department of Justice as well. In 2018, authorities revealed he’d gained access to intelligence operations in Afghanistan and Iran by pretending to be the head of the CIA. He did this from the comfort of his own bedroom in the United Kingdom, at 15 years old.

The goal of the attack was to obtain the phone numbers and emails of high-level officials in the U.S. and overseas. His social engineering attacks caused embarrassment for numerous federal agencies, but ultimately Gamble received a mere two-year sentence at a juvenile detention center.

 

Protect your organization from social engineering attacks with stronger BC/DR

See how you can protect your data with robust data backups and disaster recovery solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action

Dale Shulmistra is a Business Continuity Specialist at Invenio IT, responsible for shaping the company’s technology initiatives -- selecting, designing, implementing & supporting business continuity solutions to bolster client operational efficiencies and eliminate downtime.