Skip to main content

Uber’s hack shows the stubborn power of social engineering

Uber’s hack shows the stubborn power of social engineering

/

In corporate IT systems, humans are usually the weakest link

Share this story

Photo by Amelia Holowaty Krales / The Verge

Like many other hacks, Uber’s major security breach started with a text message. Citing details provided by the alleged hacker, The New York Times reported that a fake text message tricked an Uber employee into revealing their password details, triggering a sequence of events that led to a large-scale compromise of the ridesharing company’s IT systems.

Even for a company with Uber’s resources, these kinds of social engineering threats are impossible to completely defend against. It doesn’t matter how good a firm’s password policies are, whether sensitive information is properly stored or encrypted, and even whether multi-factor authentication is used — there’s always a chance that a human employee will be fooled into letting the attacker in through the front door.

Social engineering is a blanket term for this kind of attack: a wide range of techniques that dupe targets into disclosing sensitive information, using carefully tailored phishing campaigns or other psychological tricks. In its quarterly threat report for Q2 2022, enterprise cybersecurity provider ZeroFox assessed that “social engineering remained one of the most frequently reported intrusion tactics in Q2, and this will almost certainly remain the case for the foreseeable future.” For large companies, it’s one of the hardest attacks to protect against for the simple reason that human beings are gullible.

Josh Yavor, CISO at email security provider Tessian, agrees. “Social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works,” Yavor said.

In this case, it was the use of social engineering techniques that allowed the attacker to skirt around multi-factor authentication processes that would usually prevent an unauthorized login, even with the correct username and password.

Screenshots shared from conversations with the hacker give some sense of how the attack unfolded. The hacker claims that after they had obtained the employee’s password, they repeatedly triggered push notifications in an authentication app — then sent a WhatsApp message claiming to be from Uber’s IT department instructing the employee to confirm that the login attempt was legitimate.

This gave them access to a VPN through which they could connect to Uber’s corporate intranet and, from there, scan the network for sensitive files and applications that would not be accessible from a connection outside of the VPN. In a PowerShell script (which is used to automate tasks on Windows machines), they reportedly found an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company.

“Using this I was able to extract secrets for all services,” the hacker wrote in a Telegram message.

Adequately preparing companies is a big challenge — made more difficult by the exclusion of social engineering from most bug bounty reward schemes. Social engineering attacks are rarely covered by those schemes, which offer hackers a financial reward for disclosing how they are able to break into systems. This was specifically true in the case of Uber, which declared social engineering “out of scope” for its own bug bounty program — providing no incentive (at least, no monetary incentive) for the hacker to share details of their exploit with Uber before going public.

JC Carruthers, president of Snowfensive, a cybersecurity firm that offers social engineering assessments, told The Verge that excluding social engineering attacks from bug bounty programs is standard procedure, as to do otherwise would incentivize attackers to target employees.

“The target isn’t an IP address or endpoint — it’s a human,” Carruthers said. “From an organization’s perspective, they are authorizing the bounty hunter to test a person for whom they might not have legal authority, or there may be ethical concerns.”

Even more dogged than the ethical challenge is simply the difficulty in effectively fixing the problem. A software vulnerability can be patched once it’s disclosed — but knowing a company’s employees can be fooled by a particular kind of request leaves security executives with few options for fixing the problem.

“The most significant reason organizations don’t include social engineering in their bug bounty program is because they know a social engineering attack will work,” Carruthers said.

“The target isn’t an IP address or endpoint — it’s a human.”

Generally, companies try to prepare their staff against such attacks with “red teaming” — hiring a security firm to try to compromise employees’ systems with phishing emails, text messages, or other similar tactics and then provide a report on how they could improve. It’s a strategy that undoubtedly improves security but may fail to emulate the deviousness and persistence of real-world social engineering hacks due to ethical constraints.

As far as prevention goes, employee authentication can also be improved by requiring physical security keys to log on rather than app-based notifications. In one positive example, Cloudflare was recently targeted by a sophisticated phishing scam but was able to minimize impact due to the use of hardware token authentication. In the case of the attack on Uber, had the targeted employee had a security key, the hacker wouldn’t have been able to breach the VPN system without physical access to either the key or the employee’s machine.

Ultimately, though, the versatility of social engineering means it’s impossible to completely eliminate the threat.

“When the attack vector is human in nature, you can’t simply patch it,” Carruthers says.

Today’s Storystream

Feed refreshed Two hours ago Dimorphos didn’t even see it coming

R
Twitter
Richard LawlerTwo hours ago
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.


M
The Verge
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.


E
Twitter
Emma RothSep 26
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.


Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther WangSep 26
E
Twitter
Emma RothSep 26
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomSep 26
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


R
Youtube
Richard LawlerSep 26
Don’t miss this dive into Guillermo del Toro’s stop-motion Pinocchio flick.

Andrew Webster and Charles Pulliam-Moore covered Netflix’s Tudum reveals (yes, it’s going to keep using that brand name) over the weekend as the streamer showed off things that haven’t been canceled yet.

Beyond The Way of the Househusband season two news and timing information about two The Witcher projects, you should make time for this incredible behind-the-scenes video showing the process of making Pinocchio.


R
External Link
Russell BrandomSep 26
Edward Snowden has been granted Russian citizenship.

The NSA whistleblower has been living in Russia for the 9 years — first as a refugee, then on a series of temporary residency permits. He applied for Russian citizenship in November 2020, but has said he won’t renounce his status as a U.S. citizen.


E
External Link
Emma RothSep 26
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.


J
James VincentSep 26
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.


Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
J
The Verge
James VincentSep 26
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.


E
External Link
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.


R
The Verge
Richard LawlerSep 26
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.