14 DAY TRIAL // During a television show on Fox, the Blackberry phone of Stuart Varney was hacked and the host received two spoofed calls that could have tricked him into revealing sensitive information about the company computer network.
Fortunately, this was all part of a demonstration (video available below) and the hacker was none other than John McAfee, founder of McAfee antivirus company that is currently part of the security division of Intel Corporation.
Caller ID shows a legitimate caller
Varney asked McAfee to show how a phone can be used by an attacker to gain access to the systems of a company.
The method chosen by the “hacker” was to spoof the caller ID to make the recipient think it was coming from someone in their contact list. Before placing the call, McAfee said that he gained access to Varney’s list of contacts stored on his BlackBerry device in order to look for a high-profile company number that would make the trick more believable.
“The first thing I’m going to do is I’m going to call into your voicemail system, hack into your voicemail, and the voicemail system is going to call you.” At this stage of the demo attack, McAfee said that he had already gained access to the contact list and was searching for “something that says Fox Headquarters, Chairman of Fox News” so that he could spoof their number.
Social engineering may be the most difficult part of the trick
Once this is achieved, tricking the recipient of the call was just a matter of social engineering. McAfee said that he would pretend to be an FBI agent (he used the name Zaphod Beeblebrox from The Hitchhiker's Guide to the Galaxy) and would tell the victim that a major security breach occurred and that the Bureau was in control of the company’s communications system.
For verification purposes, the victim would be asked for the current log-in credentials to a sensitive network area. The same type of calls would be placed to multiple individuals in the targeted organization in order to achieve a higher rate of success.
As soon as the username and password would be handed to the attacker, they would log in and start downloading information pertinent to their purposes.
The entire demonstration was to point out a possible method of intrusion used by the Guardians of Peace hackers in the attack against Sony Pictures Entertainment.
Watch the latest video at video.foxbusiness.com
