The Robin Sage story broke in early July and I am late in getting to it. I was going to skip it, but it’s such a good story, I wanted to note it. The Dark Reading version is quite detailed.
The key though is straightforward – people accepted invitations from someone they did not know. It’s that simple. This is a type of “inside-out,” social engineering attack vector which has become the primary method of cyber criminals. Why bother with the traditional “outside-in” attack on network device or endpoint software vulnerabilities when all you need to do is lure the victim to a malware-laden web page.
Running a Robin Sage type of “experiment” in your organization should be part of your security awareness training program.