This white-hat hacker catfished a bunch of defense information security experts
One day Thomas Ryan, who worked as a white-hat hacker and cyber security analyst, created an entire social media background and history for Robin Sage, an attractive 25-year-old girl who claimed to be a cyber threat analyst at the Naval Network Warfare Command in Norfolk, Virginia.
Her Twitter Bio read: “Sorry to say, I’m not a Green Beret! Just a cute girl stopping by to say hey! My life is about info sec all the way!”
“Robin” had great credentials for a 25-year-old woman. She was a graduate of MIT with a decade of experience in cybersecurity, and she knew how to network very effectively. Ryan purposely chose a relatively attractive woman because he wanted to prove how sex and appearance plays in trust and willingness to connect. He pulled the photo from an amateur porn site, looking for someone who didn’t look American.
Robin added 300 friends from places like military intelligence, defense contractors, and other security specialists. She also connected on LinkedIn with people working for a former Chairman of the Joint Chiefs of Staff and at the National Reconnaissance Office, the U.S. spy satellite agency. The most vital information was leaked through LinkedIn.
She duped men and women alike (but mostly men) without showing any real biographical information. Within two months time (December 2009-January 2010), she acquired access to email accounts (one NRO contractor posted information on social media which revealed answers to security questions on his personal e-mail), home addresses, family information, and bank accounts. She learned the locations of secret military installations and was able to successfully determine their missions. She received documents to review, she was invited to speak at conferences, and she was even offered consulting work at Google and Lockheed.
There were many red flags, especially the claim to have worked in Infosec since age 15. Her job title didn’t exist. Her online identity could only be traced back 30 days. Her name is based on a U.S. Army training exercise. Ryan says some in the Infosec community were skeptical and tried to verify her identity but no real alerts were made about just how deceptive the Robin Sage profile really was, and so this greatest example of “fake it ’til you make it” went on as Robin continued to win friends and influence people. This exercise was not popular with everyone in the INFOSEC community.
Ryan wrote a paper, called “Getting in Bed With Robin Sage,” which described the extent of how the seemingly harmless details in social media posts were as damaging as the information given to her freely by those who sought her opinion. Robin Sage was more successful at networking and getting job offers than any recent college graduate I’ve ever heard.
The only agencies with people who never took the bait were the FBI and the CIA. Ryan told the Guardian, “The big takeaway is not to befriend anybody unless you really know who they are.”