Like many other hacks, Uber’s major security breach started with a text message. Citing details provided by the alleged hacker, The New York Times reported that a fake text message tricked an Uber employee into revealing their password details, triggering a sequence of events that led to a large-scale compromise of the ridesharing company’s IT systems.
Even for a company with Uber’s resources, these kinds of social engineering threats are impossible to completely defend against. It doesn’t matter how good a firm’s password policies are, whether sensitive information is properly stored or encrypted, and even whether multi-factor authentication is used — there’s always a chance that a human employee will be fooled into letting the attacker in through the front door.
Social engineering is a blanket term for this kind of attack: a wide range of techniques that dupe targets into disclosing sensitive information, using carefully tailored phishing campaigns or other psychological tricks. In its quarterly threat report for Q2 2022, enterprise cybersecurity provider ZeroFox assessed that “social engineering remained one of the most frequently reported intrusion tactics in Q2, and this will almost certainly remain the case for the foreseeable future.” For large companies, it’s one of the hardest attacks to protect against for the simple reason that human beings are gullible.
Josh Yavor, CISO at email security provider Tessian, agrees. “Social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works,” Yavor said.
In this case, it was the use of social engineering techniques that allowed the attacker to skirt around multi-factor authentication processes that would usually prevent an unauthorized login, even with the correct username and password.
Screenshots shared from conversations with the hacker give some sense of how the attack unfolded. The hacker claims that after they had obtained the employee’s password, they repeatedly triggered push notifications in an authentication app — then sent a WhatsApp message claiming to be from Uber’s IT department instructing the employee to confirm that the login attempt was legitimate.
This gave them access to a VPN through which they could connect to Uber’s corporate intranet and, from there, scan the network for sensitive files and applications that would not be accessible from a connection outside of the VPN. In a PowerShell script (which is used to automate tasks on Windows machines), they reportedly found an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company.
“Using this I was able to extract secrets for all services,” the hacker wrote in a Telegram message.
Adequately preparing companies is a big challenge — made more difficult by the exclusion of social engineering from most bug bounty reward schemes. Social engineering attacks are rarely covered by those schemes, which offer hackers a financial reward for disclosing how they are able to break into systems. This was specifically true in the case of Uber, which declared social engineering “out of scope” for its own bug bounty program — providing no incentive (at least, no monetary incentive) for the hacker to share details of their exploit with Uber before going public.
JC Carruthers, president of Snowfensive, a cybersecurity firm that offers social engineering assessments, told The Verge that excluding social engineering attacks from bug bounty programs is standard procedure, as to do otherwise would incentivize attackers to target employees.
“The target isn’t an IP address or endpoint — it’s a human,” Carruthers said. “From an organization’s perspective, they are authorizing the bounty hunter to test a person for whom they might not have legal authority, or there may be ethical concerns.”
Even more dogged than the ethical challenge is simply the difficulty in effectively fixing the problem. A software vulnerability can be patched once it’s disclosed — but knowing a company’s employees can be fooled by a particular kind of request leaves security executives with few options for fixing the problem.
“The most significant reason organizations don’t include social engineering in their bug bounty program is because they know a social engineering attack will work,” Carruthers said.
“The target isn’t an IP address or endpoint — it’s a human.”
Generally, companies try to prepare their staff against such attacks with “red teaming” — hiring a security firm to try to compromise employees’ systems with phishing emails, text messages, or other similar tactics and then provide a report on how they could improve. It’s a strategy that undoubtedly improves security but may fail to emulate the deviousness and persistence of real-world social engineering hacks due to ethical constraints.
As far as prevention goes, employee authentication can also be improved by requiring physical security keys to log on rather than app-based notifications. In one positive example, Cloudflare was recently targeted by a sophisticated phishing scam but was able to minimize impact due to the use of hardware token authentication. In the case of the attack on Uber, had the targeted employee had a security key, the hacker wouldn’t have been able to breach the VPN system without physical access to either the key or the employee’s machine.
Ultimately, though, the versatility of social engineering means it’s impossible to completely eliminate the threat.
“When the attack vector is human in nature, you can’t simply patch it,” Carruthers says.