Recently Bloomberg revealed the details of how a Coca Cola executive fell for a hacker's email leading to a series of corporate data breaches in 2009. As Jordan Robertson explains, the email and subsequent breaches really aren't that sophisticated, illustrating just how powerful social engineering can be.
(Image credit: twm1340)
In the annals of what-was-I-thinking moments in computer security, this has to be one of the most gobsmacking.
According to a Bloomberg News investigation of a series of undisclosed corporate data breaches, Coca-Cola was deeply penetrated by hackers in 2009 in what started with an e-mail with this subject line:
“Save power is save money! (from CEO)”
The message landed in executive Paul Etchells’s inbox on Feb. 16, 2009, according to a document obtained by Bloomberg.
The e-mail seems preposterous on its face, but the fact it appeared to come from a legal executive at the company — and at a time that Coca-Cola was pushing energy-saving measures — led Etchells to open it and click on a link that purported to lead to a message from the chief executive officer, according to the report. That kicked off a chain reaction that allowed the hackers to burrow into Coca-Cola’s network, seeking specific information about a major upcoming acquisition of a Chinese firm, a deal that later fell apart.
The example was one of several involving serious corporate intrusions where the hackers sought information on upcoming business deals. Companies rarely disclose how their systems are breached, so details about the e-mail that fooled Etchells offer a rare look at how even sophisticated attackers — which these clearly were – sometimes resort to highly unsophisticated techniques and are still successful.
Many advanced threats begin the way Coca-Cola’s did, illustrating a growing danger that companies face in protecting their networks.
