How a teenage hacker allegedly managed to break both Uber and Rockstar games
Rockstar Games – the developers of the popular Grand Theft Auto series of video games – was hacked just days after giant Uber’s servers were targeted in a similar breach, allegedly by the same hacker who used a process called social engineering, a highly effective method of attack that is dependent on deceiving employees of a targeted company and can be difficult to protect against.
Like the Uber hack, the hacker who goes by the alias “TeaPot” claimed to have gained access to Rockstar Games’ internal Slack messages and early code for their unannounced Grand Theft Auto sequel by gaining access to an employee’s login information.
Although the exact details of the Rockstar breach are unclear, in Uber’s case the hacker claimed to have posed as an IT person at the company and convinced an employee to share their login information.
Unlike other attack methods that rely on flaws in a company’s security architecture, social engineering targets people and relies on manipulation and deception.
Experts claim that humans remain the “weakest link” in online security, as they can easily be tricked into clicking on malicious links or sharing their login details.
Unlike other methods, social engineering is also effective at defeating certain enhanced security measures such as one-time passwords and other multi-factor authentication methods.
Rachel Tobac, CEO of cybersecurity firm SocialProof Security and an expert in social engineering tweeted: “The hard truth is that most [organizations]
in the world could be hacked in exactly the same way that Uber was just hacked … Many [organizations] still not use [Multi Factor Authentication] internally … and don’t use password managers (which leads to storing credit in easily searchable places when an intruder gets in).”
Social engineering has been used to carry out several high-profile hacks in recent years, including the hijacking of more than 100 prominent Twitter accounts – among them Elon Musk, former President Barack Obama, Bill Gates and Kanye West – which were then used to promote a bitcoin scam. The hacks were carried out by teenagers who managed to gain access to Twitter’s internal network by targeting “a small number of employees” following the social media company. Last month, both Cloudflare and Twilio were also targeted in a type of social engineering attack called “phishing” in which employees were tricked into opening a message that was disguised to appear as legitimate corporate communication but included a malicious link. Twilio, which provides messaging and two-factor authentication services, revealed that the hackers had managed to breach the company’s internal databases and gained access to an undisclosed number of customer accounts. Cloudflare, an online content delivery network, noted that the hackers did not have access to its internal network.
Unlike Twilio, Uber and Rockstar, which had their internal systems breached, Cloudflare was able to avoid this fate due to the use of hardware-based security keys. Unlike other multifactor authentication methods such as text messages and one-time passwords, hardware security keys are much more secure against social engineering attacks. A targeted employee can be tricked into sharing the details in a text message or one-time password, but the hacker must gain physical possession of a hardware security key to gain access to an account. Hardware security keys come in various forms, including USB sticks or Bluetooth dongles, and they need to be plugged or connected to a device trying to access a protected account. Hackers who gain access to employee credentials will not be able to access their accounts that use this form of security without physically gaining access to their keys. In 2018, Google announced that none of its 85,000 had been targeted through a phishing attack after it mandated the use of physical security keys a year earlier.
323,972. That’s the total number of complaints about social engineering attacks received by the FBI in 2021 — nearly three times what it was in 2019 — according to the agency’s annual Internet Crime Report. During this period, hackers managed to steal a total of $2.4 billion by compromising corporate email accounts through social engineering techniques.
What you should look for
Bloomberg’s Jason Schreier speculated that the recent hack may prompt Rockstar to do so set restrictions on remote work. Cyber security experts have previously argued that telecommuting may require more precautions as it leaves employees more vulnerable to attacks by social engineers.
Uber Says It’s Responding to ‘Cybersecurity Incident’ After Alleged Hack of Internal Databases (Forbes)
Uber Hacker Claims To Have Hacked Rockstar Games, Releases GTA 6 Videos (Forbes)
FBI Investigating Uber and GTA 6 Hacks, UK Youth Extortion Leader Suspected (Forbes)