UPDATE (9/20/22): Uber has issued a statement citing the ransomware hacking group, Lapsus$, as potential perpetrators of the attack.
Uber announced yesterday that it had taken many of its internal communications channels and engineering systems offline after an anonymous individual gained access to scores of secure data that purportedly includes emails, cloud storage, and coding repositories. The still unknown person claiming responsibility has since provided screenshots of their work as proof to both The New York Times and a security engineer at Yuga Labs. The screenshots revealed that they gained their stunningly comprehensive and potentially devastating entry into Uber’s inner workings using one of the simplest, oldest tricks in the book: Simply put, they duped an Uber employee into giving them their password.
The more official term used in the cybersecurity world is “social engineering,” which LSU’s IT Security and Policy Office defines as whenever bad actors use “human interaction (social skills) to obtain or compromise information about an organization or its computer systems.” In this case, The NY Times reports, the individual sent a text message to an Uber employee claiming to be an IT officer, and was able to persuade them into handing over their password.
[Related: How to protect against phishing and other email attacks.]
From there, they gained entry into Uber’s systems and took over a worker’s Slack profile to post the (admirably) straightforward update: “I announce I am a hacker and Uber has suffered a data breach.” They then went on to argue that Uber drivers should receive higher pay. The NY Times also notes the hacker gained access to even more systems from there, and went so far as to post an “explicit photo” on an internal employee information page.
Although the public often associates hacks with complex cyberattacks utilizing inscrutable programming languages, the vast majority boil down to these relatively simple social engineering and phishing scams. One report indicates only three percent of all malware tries to exploit technical issues, while the remaining 97 percent are simply social engineering ploys. In 2020, similar strategies were employed by teens to successfully gain access to Twitter’s servers, with others employing social engineering while attacking Microsoft earlier this year.
[Remainder: Scammers are using a Webb Telescope photo to hide complex malware.]
It’s unclear where this latest social engineering saga will end, although one security expert speaking with The NY Times surmises, “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.” Earlier this afternoon, Uber posted an update to Twitter informing consumers that there doesn’t appear to be any compromise to users’ sensitive data, such as trip information and routes. Additionally, the company states that the internal software taken down yesterday is slowly coming back online today. In any case, it’s a solid reminder to doublecheck the identity of that next random text you get from your “boss” or “IT coworker.”