Sitting at his desk in a bleak office building, a tired-looking worker in a polo clicks around a social-media site. Suddenly, a chat window pops up in the corner. It's a recruiter. "We have two high level positions open right now that you are qualified for," she types. "Do you have a moment for some questions?"
Before long, the office worker, perhaps desperate to get out of his dead-end job, has turned over all the information the recruiter asks for: his clearance level, his company's financial performance, his company's corporate structure, and even contracts he's recently worked on.
But the person on the other end isn't a recruiter after all. Instead, our friend the office worker is being duped by a man in fatigues and a red beret, clearly a state-sponsored hacker someplace sinister halfway across the globe.
The message, which comes in an educational video released Friday by the Office of the Director of National Intelligence, is simple: “Don't be this guy.”
“As with all emerging technologies, social media has provided some wondrous advances, but also new vulnerabilities that could be exploited by our adversaries,” a government spokeswoman warns in a related video.
The government’s “Know the Risk—Raise Your Shield” campaign, which began with a video about “spear phishing” and will continue to cover face-to-face targeting and travel awareness, sprung from the pair of high-profile hacks at the Office of Personnel Management that revealed the personal information of more than 22 million individuals, including current and former federal workers—and even people who had simply applied for a federal job.
Intelligence and law enforcement officials have said that foreign hackers and criminals can use the ever-growing database of stolen personal information and credentials to target individuals and extract more information from them. By offering confidential information, a hacker can gain a target's trust and exploit them.
The large-scale breach of tax information at the IRS last year was based on that principle, although instead of fooling a human into trusting them, the hackers fooled a software tool that was supposed to verify users' identities. By feeding the system information like Social Security numbers, addresses, and financial information, hackers were able to gain access to past tax filings and even file fraudulent returns.
On a much smaller scale, the breach of CIA Director John Brennan's personal email account is an example of how easily social engineering can be used to gain access to supposedly secure areas. The group that got into Brennan's email—at least one of whom says he is a teenage stoner—claims to have impersonated Verizon employees to get the information they needed to convince AOL to reset Brennan's email password.