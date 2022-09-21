“There is a guaranteed weakness in any security system: the human heart.” The sentence in question was said by CJ, protagonist of GTA San Andreas, in 2004, but it still serves as a lesson for companies like Rockstar Games, the game’s developer. The interactive entertainment giant suffered a major hacker recently, with the leak of GTA 6, which possibly had the human factor as the main vulnerability.

As well as Rockstar, another big company was also invaded recently, the Uber, and the perpetrator of both attacks could be as young as 16 years old. But how did a young man gain access to the files of billionaire multinationals? Apparently, the cybercriminal’s main weapon was the social engineering.

A very old and rudimentary concept of digital security, social engineering does not need high-tech equipment or far-fetched knowledge to carry out attacks. The method bets on manipulation of human beings to gain advantageaccess systems and gain privileges to do greater damage.

Manipulation and ingenuity are the main ingredients of social engineering attacks

“Scams based on social engineering are built around how people think and act,” explains security firm Kaspersky. “Once an attacker understands what motivates a user’s actions, they can effectively trick and manipulate them.

Like pre-internet scams, social engineering hackers craft narratives to engage the victim and trick them. Whether it’s an email pretending to be the boss asking for data or a “supermodel” texting you about work, the attack can come at any time.

the weak link

According to statements by Uber and Rockstar, the companies suffered a social engineering attack that targeted employees to gain a Slack login. The messaging app, which works in the same way as Microsoft Teams, has an interface similar to Discord and is used by companies for remote work.

In a statement sent to TecMundo, Slack said it is investigating incidents involving Uber and Take-Two, which owns Rockstar, but the company says it has not found evidence of a vulnerability in its services. software or hardware security: hackers took advantage of the ingenuity of company employees to gain privileged access.

Hackers took advantage of employees’ ingenuity to gain privileged access

With the pandemic and the growth of the home office, platforms like Slack have become an essential part of the daily lives of many employees, which ends up generating security openings. Now, sensitive materials that would be out of access online, such as GTA 6 gameplay videos, are shared on online platforms to facilitate the development routine.

So, with just one access credential obtained via social engineering, hackers can get hold of a huge amount of data. In Rockstar’s case, around 3GB of details about the game were obtained and released, in addition to the alleged source code of GTA V and GTA 6, causing a major problem for Rockstar.

According to William Bergamo, co-founder and VP of New Business at e-Safer, some companies are still not seriously dealing with the dangers brought by the home office in digital security. “The issue of remote work in terms of information security represents a great challenge that unfortunately has still been neglected by many companies, regardless of size”.

According to the expert, remote work leaves the employee and their data out of a minimally controlled environment, which facilitates information theft. And even if just one login is stolen, the damage can be massive, as recent Rockstar and Uber cases show.

Protection from social engineering

While antivirus software can block malware, social engineering protection requires deeper and more dedicated preparation from companies and employees. “It is extremely important to have an information security policy, to promote awareness campaigns followed by evaluative training for these trainings”, explains Bergamo.

In addition to raising employee awareness, the e-Safer commander recommends that companies segment access and apply “zero trust” policies. So, if an employee is hit, not the entire business data chain will be affected.

Another simple solution that can help protect logins is classic double authentication. Whether with a dedicated application or a simple email or text message, the solution already guarantees an extra layer of protection, as long as you don’t share the information with the hacker.

Finally, it is worth the employee to be alert to possible strange behavior, from emails that seem suspicious to links that may contain fake forms. As the human being is the weak point in social engineering attacks, it is ideal to pay attention not to end up becoming a victim.