I Can Attack You Because I Know Way Too Much About You

Attackers use online footprints to develop targeting profiles of executives and other employees based on open-source data. From social media to data scraping aggregators, personal information is available to virtually anyone in the world for minimal cost. And people today have developed a tendency to advertise voluntarily massive amounts of information about themselves on social media with the goal of making themselves more accessible to those around them.

However, using social media, an attacker can often draw a fairly concise picture of an individual, determining relationships and preferences, as well as rudimentary organization charts, enumerating which managers report to which executives, as well as who might report to the managers, and so on down the chain. If the attacker can find (or simply guess) a sample email address from the company, he or she can then launch an impersonation campaign with the goal of extracting sensitive data.

Phishing Expeditions: Attacks Can Take Many Forms Using the Same Information

This kind of campaign can take multiple forms, with spearphishing and whaling being among the most common.

Spearphishing is the act of targeting specific employees with the goal of either extracting information or enabling an entry point into the network through that employee’s device. The attacker will often employ the tried and true technique of impersonating a coworker (both more senior and less) or personal acquaintance in order to catch the victim off guard and lower their inhibitions into clicking something unknown.

However, if one technique doesn’t work, the attacker will switch to another. In fact, attackers will often employ multiple techniques concurrently and in tandem with one another in the hope that at least one of them works. Since any single attack vector in social engineering stands a relatively low chance of succeeding, employing multiple attack vectors simultaneously against multiple targets allows an attacker not only an increased possibility of success, but also allows him or her to incrementally gain information that he or she can then use against other targets.

For example, if an attacker identifies both an executive and a department head who sits in a different location, the attacker may send an email to that manager with a task or request and then, upon learning the reply, use that information in an email directly against the executive.

Whaling, on the other hand, directly targets senior leadership. The attacker may impersonate a lower-level employee, trusted assistant, or even personal acquaintance, in order to gain access to the leader’s device in order to extract information, implant spyware, or establish a backdoor through which he or she can then compromise larger sections of the network.

Aside from whaling, senior leadership who maintain robust digital footprints also expose themselves to myriad other threats, namely extortion and blackmail. Savvy attackers can easily deduce important personal information from an individual even if that individual only maintains a modicum of online presence, much less a robust online profile.

How Can I Protect My Organization and Its People?

How does an organization protect itself against these attacks? The first line of defense is simply knowing what information an attacker may find, as well as what the attacker may be able to glean from that information. For instance, general job titles for several members of an organization can tell an attacker who does what, but specific job titles for those same individuals can often assist the attacker in identifying each individual’s seniority, as well as who reports to whom.

Once this information is identified, the organization can determine if such information is benign or should be removed or altered. While the job histories of two executives may be perfectly benign, a photo of their children playing on the same school’s sport teams posted to a linked spouse’s account can potentially tell an attacker many things about both individuals and open the door to highly devastating attacks.

Using DigitalStakeout’s Web Presence Search tool Canvass, a security team should identify the digital footprints of both the organization and its personnel to quickly establish a baseline awareness of what opportunity space an attacker has. With Web Presence Monitor, the team should deploy the monitor detect any changes to this footprint and come to quickly understand who is responsible for the change in presence. Security teams should deploy Social Media Monitor to understand personal exposure and networks, both among their accounts and with connected individuals that may be surreptitiously siphoning off information about the victim.