In 2011 RSA Security – the folks who provide the SecurID 2 factor authentication devices to millions of people – was hacked by a phishing email. This is an important hack to remember for three reasons.
One, the phishing email was primitive and should have been seen for what it was – a fake.
Two, the attack demonstrates that even security companies are vulnerable to simple social engineering techniques.
Three, a common form of 2-Factor authentication was compromised, possibly leaving many millions of users at risk.
Hackers sent RSA employees two emails over two days. One was from ‘webmaster’ at a fake beyond.com site. The subject line said, ‘2011 staffing plan.’ Upon opening the email, targets saw an attached excel spreadsheet titled, ‘2011 staffing plan.’
From there, all that needed to happen was to click the MS Excel file.
If the recipient clicked on the attachment an Excel spreadsheet opened, which was completely blank except for an “X” that appeared in the first box of the spreadsheet. The “X” was the only visible sign that there was an embedded Flash exploit in the spreadsheet.
When the spreadsheet opened, Excel triggered the Flash exploit to activate, which then injected a backdoor — in this case a backdoor known as Poison Ivy — onto the system. From there, the hackers could remotely control the machine, reaching the systems and data they sought.
The true impact of this hack has never been fully explained by RSA. We do know that they spent upwards of $66 million recovering from the hack.
What is striking is how easily a security company was compromised – and how deeply.
Employees, via social engineering, were once again shown to be the easiest entry point for hackers.