Skip to main content

Uber’s hack shows the stubborn power of social engineering

Uber’s hack shows the stubborn power of social engineering


In corporate IT systems, humans are usually the weakest link

Share this story

Photo by Amelia Holowaty Krales / The Verge

Like many other hacks, Uber’s major security breach started with a text message. Citing details provided by the alleged hacker, The New York Times reported that a fake text message tricked an Uber employee into revealing their password details, triggering a sequence of events that led to a large-scale compromise of the ridesharing company’s IT systems.

Even for a company with Uber’s resources, these kinds of social engineering threats are impossible to completely defend against. It doesn’t matter how good a firm’s password policies are, whether sensitive information is properly stored or encrypted, and even whether multi-factor authentication is used — there’s always a chance that a human employee will be fooled into letting the attacker in through the front door.

Social engineering is a blanket term for this kind of attack: a wide range of techniques that dupe targets into disclosing sensitive information, using carefully tailored phishing campaigns or other psychological tricks. In its quarterly threat report for Q2 2022, enterprise cybersecurity provider ZeroFox assessed that “social engineering remained one of the most frequently reported intrusion tactics in Q2, and this will almost certainly remain the case for the foreseeable future.” For large companies, it’s one of the hardest attacks to protect against for the simple reason that human beings are gullible.

Josh Yavor, CISO at email security provider Tessian, agrees. “Social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works,” Yavor said.

In this case, it was the use of social engineering techniques that allowed the attacker to skirt around multi-factor authentication processes that would usually prevent an unauthorized login, even with the correct username and password.

Screenshots shared from conversations with the hacker give some sense of how the attack unfolded. The hacker claims that after they had obtained the employee’s password, they repeatedly triggered push notifications in an authentication app — then sent a WhatsApp message claiming to be from Uber’s IT department instructing the employee to confirm that the login attempt was legitimate.

This gave them access to a VPN through which they could connect to Uber’s corporate intranet and, from there, scan the network for sensitive files and applications that would not be accessible from a connection outside of the VPN. In a PowerShell script (which is used to automate tasks on Windows machines), they reportedly found an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company.

“Using this I was able to extract secrets for all services,” the hacker wrote in a Telegram message.

Adequately preparing companies is a big challenge — made more difficult by the exclusion of social engineering from most bug bounty reward schemes. Social engineering attacks are rarely covered by those schemes, which offer hackers a financial reward for disclosing how they are able to break into systems. This was specifically true in the case of Uber, which declared social engineering “out of scope” for its own bug bounty program — providing no incentive (at least, no monetary incentive) for the hacker to share details of their exploit with Uber before going public.

JC Carruthers, president of Snowfensive, a cybersecurity firm that offers social engineering assessments, told The Verge that excluding social engineering attacks from bug bounty programs is standard procedure, as to do otherwise would incentivize attackers to target employees.

“The target isn’t an IP address or endpoint — it’s a human,” Carruthers said. “From an organization’s perspective, they are authorizing the bounty hunter to test a person for whom they might not have legal authority, or there may be ethical concerns.”

Even more dogged than the ethical challenge is simply the difficulty in effectively fixing the problem. A software vulnerability can be patched once it’s disclosed — but knowing a company’s employees can be fooled by a particular kind of request leaves security executives with few options for fixing the problem.

“The most significant reason organizations don’t include social engineering in their bug bounty program is because they know a social engineering attack will work,” Carruthers said.

“The target isn’t an IP address or endpoint — it’s a human.”

Generally, companies try to prepare their staff against such attacks with “red teaming” — hiring a security firm to try to compromise employees’ systems with phishing emails, text messages, or other similar tactics and then provide a report on how they could improve. It’s a strategy that undoubtedly improves security but may fail to emulate the deviousness and persistence of real-world social engineering hacks due to ethical constraints.

As far as prevention goes, employee authentication can also be improved by requiring physical security keys to log on rather than app-based notifications. In one positive example, Cloudflare was recently targeted by a sophisticated phishing scam but was able to minimize impact due to the use of hardware token authentication. In the case of the attack on Uber, had the targeted employee had a security key, the hacker wouldn’t have been able to breach the VPN system without physical access to either the key or the employee’s machine.

Ultimately, though, the versatility of social engineering means it’s impossible to completely eliminate the threat.

“When the attack vector is human in nature, you can’t simply patch it,” Carruthers says.

Today’s Storystream

Feed refreshed Sep 25 Not just you

Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.

Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.

External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.