Performing digital forensics and incident responsetasks under the pressure of an active breach is...
Social Engineering: How I Got Hacked
Social engineering, or the malicious practice of psychological manipulation to fool users into clicking false links and sharing confidential data online, can happen to anyone. In fact, it happened to me, despite all of the knowledge I’ve gained working for years in cyber security.
My Social Engineering Story
My teenage son plays varsity soccer for his local high school team. As fans of our son and “the beautiful game,” my wife and I do our best to attend all his matches. On a recent Saturday, his team played a tournament in a town roughly 200 miles away but unfortunately, other commitments that day prevented us from traveling to see his match in person.
If there’s a silver lining to the past 2 years, in part it’s the emergence of hybrid engagement, and in this case specifically, the live streaming high school sports. Born out of necessity, it’s really been a wonderful option for out-of-town friends/family, snowbird grandparents, and anyone else unable to attend prep sports in person.
But, in our part of the country and particularly for smaller schools in rural areas, the technology and infrastructure needed to stream live sports can be hit or miss. Some games are streamed, and some are not. For those that are, often the links to view these streams aren’t available ahead of time and so it can become a mad scramble at game time to find and share the link.
As many of you can attest, for all of their wonderful qualities, teenagers can be an inconsistent source of information about the things going on in their lives. Our son’s coaches and team parents use a social platform called “TeamSnap” to communicate throughout the season.
TeamSnap has been embraced as an invaluable resource for coaches, players and families. The feed includes practice times, schedule changes, team activities and in-game scoring updates for folks unable to attend the live match. On this particular Saturday, anticipating that the game wouldn’t be streamed based on its location, and finding no reference to the game stream on the athletic conference or school website, we were pleasantly surprised when Nick’s dad, Brent (names changed to protect the innocent) posted to TeamSnap,
“Found the link to the live stream!”
He shared the link and added,
“3 minutes to kickoff!”
Having previously resigned ourselves to following text updates from parents at the game, we were thrilled! We rushed to click the link and start the stream. The link resolved to a YouTube channel for streaming high school sports. Multiple streams were available, including one with the names and logos of our son’s team and their opponent, the date and start time of the match, etc. The channel had a paywall and offered a streaming pass to the match for $1. We quickly reviewed the paywall information as we glanced back to TeamSnap.
Messages were flying in from other team parents…
“Thanks for the link, Brent!”
“Great job finding the link!”
“So glad the game is streamed!”
“Go Eagles!”
The stream had started and we were missing the match. I rushed back to YouTube, clicked the paywall link and entered my credit card info. The order process was smooth and simple.
“Jack scored! Eagles 1 – Huskies 0!” TeamSnap chirped
Moments later, an order confirmation email arrived with a link to the stream. Woo hooo! One more click and we’d be streaming!
CLICK!
What happened next was the first indication something was wrong. The link in the confirmation email didn’t resolve to a live event stream, or even to YouTube. Instead, we landed at “major-muscles.com” where a banner on the page thanked us for our subscription and informed us that as new subscribers, our credit card would be charged $59.99 per month.
Moments later, my smartphone buzzed with a text message from our bank…
FRAUD ALERT
The realization hit me like a brick.
Shock. Disbelief. Disgust. Embarrassment. The feelings came all at once and then continued in waves for days afterwards. As someone who has worked in the tech industry for more than 25 years, who has studied and tested and written and evangelized about cyber security, the threat landscape and the importance of security awareness training and vigilance, I’d been hacked. But more accurately, I’d hacked myself.
I felt sick. TeamSnap was a space I thought was safe. It was comfortable and familiar. I cared about and wanted what was being offered. I knew the people there and they’d provided information and links which had been 100% credible in the past. There was a sense of urgency…we’d already missed the kickoff. So, I did what it seemed that others were doing safely and successfully. I never even questioned it. I got caught up in that moment and I’d like to tell you that I let my guard down, but the reality is: it was never up in the first place.
And that’s how social engineering works; that’s why social engineering works.
My self-imposed penance for this lapse in cyber-discretion is to share my story here in the hopes it could help you or someone else. What happened to me was unfortunate, inconvenient and embarrassing; but it could have been much worse. The same is true for five other team parents, including Brent… the original “sharer” of a link he located with a simple Google search.
But we were lucky. Our moment of cyber-indiscretion came outside of work and with personal info rather than company or customer resources. We each lost a few hours of time working with our respective financial institutions to cancel our credit cards and have new cards issued. There was the minor inconvenience of being without a card for a few days, and the time spent updating our mobile payment wallets and various services which were auto paid with that card. It could have been so much worse.
What Did I Learn From this Experience?
- Urgency and the notion of missed opportunity, whether real or just perceived, are threats to perspective and objectivity. It’s easier to make a bad decision under pressure.
- Take a hard and deliberate pause each time you share personal information.
- Sharing sensitive information such as your address, phone number, family members’ names, car information, passwords, work history, credit status, social security numbers, birth date, school names, passport information, driver’s license numbers, insurance policy numbers, loan numbers, credit/debit card numbers, PIN numbers and bank account information is risky and should be avoided.
- Social networks are every bit as dangerous as any other place in the metaverse. Ignore or forget that and they are every bit the most dangerous place in the metaverse.
P.S. I want to be super clear that I still use TeamSnap (and will continue to). The platform serves its purpose admirably, but it cannot protect me from myself. The responsibility for what happened is 100% mine. I’m glad the universe provided me with an opportunity to learn about Social Engineering firsthand and that what I learned didn’t cost me more than it did. Have fun and be careful out there!
By Chris Dean
Christopher Dean is the General Manager of ACP’s Eau Claire location. With a background in science education, he has over 25 years of experience in business development, operations and executive management in the technology industry. https://www.linkedin.com/in/crdean/