In cyberattacks, hacking humans is highly effective way to access systems

Temmingh demonstrated Maltego’s utility not long ago by looking for a person to target at Fort Meade, home to the super-secret NSA. He typed in Fort Meade’s latitude and longitude and searched for Twitter users. In a couple of steps, Maltego quickly delivered the name of a person who tweeted at the Fort Meade location.

With that, Maltego searched MySpace, a dating Web site and other resources to build a rich profile: a young Army private who served in South Korea, likes to smoke and drink, divorced and looking for a “serious relationship.” She likes Harry Potter movies and “The Cosby Show.” Maltego also turned up her name, address and birthdate.

Building a tool kit

In 2009, David Kennedy began digging deep into corporate security for a Fortune 1000 company as a penetration tester, identifying flaws that hackers could exploit. He wanted to know whether employees could be duped into clicking on unknown documents or handing over confidential information over the phone. Most of them could.

Kennedy concluded that social engineering was “the next biggest attack vector.” He teamed up with a nonprofit organization called Social-Engineer.org to develop products that would make security testing more effective.

The result is known as the Social Engineering Toolkit. Its many applications can identify targets and deliver attack payloads, secretly, like digital stealth missiles. The tool kit also provides ready-made code for attacks.

In an irony of the digital age, the same tools are available for free to attackers.

“Can a bad guy take all this and get better? Sure. . . . But that is not the intended goal,” said Chris Hadnagy a founder of ­Social-Engineer.org and author of the book “Social Engineering: The Art of Human Hacking.” “What we are doing is trying to weaponize people to be protected against this threat.”

Kennedy described one effective approach involving a tool that creates instant copies of real Web pages and embeds them with malicious code. In an e-mail, the attacker could pose as an executive of a company, seeking help from an IT department employee. The attacker has studied the employee and knows he is new to the company and probably eager to please his superiors.

In a phone call that appears to be coming from within the company, the attacker asks the IT staffer why a certain Web page won’t open. The attacker directs the staffer to the bogus Web page. The intrusion occurs the moment the IT staffer visits the page.

“I find that leveraging human compassion is generally the best way to gain what I want,” Kennedy, now president of TrustedSec, said in a recent seminar.

A tailor-made attack

The current intrusion campaign began in December, possibly earlier. That’s when analysts think the attacks first started against gas pipeline company executives. With some study, it became clear that the e-mails were part of a sophisticated campaign. Only certain executives were singled out for attention. The e-mails were tailored to them.

The attackers were relentless, launching e-mails on at least 13 days. They also were creative. Attached to the e-mails were documents covering a variety of subjects that might be of interest to the executives: the U.S. debt crisis, Adobe updates, iTunes help and an analysis of the presidential election.