Social Hacking to Get Corporate Secrets
Social Hacking to Get Corporate Secrets
Cyber espionage isn't the only way companies are hacked

GATINEAU, Que.—Being a spy is lonely, even if your teenage daughter thinks it’s pretty cool, which Brian O’Shea’s does.

O’Shea heads up Striker-Pierce, a boutique agency that carries out legal, if morally questionable, industrial intelligence. Some people would call him an industrial spy. He’s trying to change his stripes though. It gets tiring he said, always wearing a friendly face while harbouring malignant intentions.

It might take some time, however. Business is good. In a world where cyber security has become an overriding priority, old-fashioned manipulation has become easier than ever.

“Almost nobody is paying attention to the kind of work we are doing,” said O’Shea.

It’s called social hacking these days, it sells better.

O’Shea capitalizes on kindness, taking advantage of people’s desire to trust or be polite. Scandinavians and Canadians are easy marks on that latter point, he said. It makes us feel compelled to answer questions, even when we shouldn’t.

“We want them to talk to us. It is almost like a seduction process,” O’Shea explained during a presentation at the International Conference on Corporate Espionage and Industrial Security held at the Hilton Hotel in Gatineau on Monday, Dec. 1.

Posing as a potential customer, an owner of an industry consulting firm, or some other persona, O’Shea and his team carry out “aggressive strategic competitive intelligence collection.” That’s industrial spy jargon for duping competitors into answering key questions for paying clients.

Sometimes it helps companies figure out how their competitors cultivate clients, or provides detailed pricing so they can better market competing products.

O’Shea once tricked an Australian company into demonstrating a product at the heart of a patent dispute. The company lost millions when O’Shea’s client was able to use that demonstration against the company and win their case.

For O’Shea, industry conferences offer up “fish in a barrel.”

He specializes in duping people, like self-centred millennials, a favourite target. Tell them how important they are, make them the centre of attention, and they’ll tell you everything. He calls it social engineering.

For instance, he might ask them to send him publicly available PDFs on the company website, saying his computer has a problem downloading them. It’s nothing illegal, but it trains the mark to download and email company documents.

In a meeting later, O’Shea will accidentally drop an envelope on the ground that is labelled “classified.” The mark will pick it up and pass it to him, a subtle cue to pass him classified information. It’s grooming, and O’Shea is an expert.

It’s the kind of work that IT geeks flounder at. Engineers are straightforward. They specialize in the quantifiable, the specific. This is the nebulous world of manipulation and seduction. Some of O’Shea’s best investigators are former models.

Change of Heart

When O’Shea was young, it was all fun and games. Tricks. Now it’s started to wear thin, he said. Too often he finds himself liking his marks better than his clients. The romance is gone.

“Deception for me was always a necessary tool,” he said. Eventually though, it left him feeling ill.

Now, O’Shea is trying to make an ethical pivot. He wants to tell others how to protect themselves from being duped.

It’s a relatively recent change of heart, an awakening of sorts that began a few weeks ago when he spoke at the Human Rights Foundation conference in NYC, advising freedom fighters and human rights activists about how to protect themselves from the very techniques he employed for the corporate world.

Many foreign governments spy on civil groups, collecting intelligence on their diaspora and working to pre-empt activist activities. Citizen Lab, an interdisciplinary research laboratory based at the University of Toronto’s Munk School of Global Affairs, last month released a report detailing how civil groups involved in human rights were suffering ongoing cyber attacks from repressive regimes.

O’Shea is working to sell more breach tests, hacking companies on their own behalf to identify weaknesses. He sees that as a good place to start, hoping to get more work in that field.

O’Shea is sanguine about his prospects of taking his underhanded, if legal talents in a new direction. He’s looking forward to a time when he can make a living just by being himself.

× close
Top