Recently, the Black Hat Briefings and DEF CON Hacking Conference both took place in Las Vegas, Nevada. Both annual conferences bring together different sector leaders to discuss emerging cybersecurity issues. Over the past few weeks, Accellis has dove into conference findings to examine how new insights will affect the cybersecurity landscape. Today we present our last takeaway.
How Social Media Can Hurt
An old-school practice surfaced again at one of the biggest cybersecurity conferences in the country. In the age of posting thoughts, experiences, and random information about yourself, cyber criminals can and have always used this information against you. With online tools and good old Google searching, cybercriminals can create custom and convincing phishing attacks. Rather, anyone could easily and successfully exploit the information available to phish, and it all starts with a company name. With this basic information plugged into free tools, an attacker can build a profile around the target.
By using platforms such as Facebook, Twitter, and LinkedIn, the attacker learns more about the person. Through a little research an attacker gets information on their job and the locations they frequent most often. And we are not talking about online sites but real physical locations.
For example, like many Facebook users, Joe Smith does not think twice before “checking in” at the five-star steakhouse with his family every Sunday. An attack can use this data against Joe with a spoofed email that “thanks” the Smith family for visiting. The attacker can formulate the perfect email subject line to get Joe to open an email and download an attachment.
A while ago this theory was for a client. We found multiple company and personal email addresses with some simple searching and web scraping. More searching led to the discovery of job titles and roles at different firms. Just this information was enough to create a custom phishing attack. Less than four hours of searching and crafting emails ended with access to two computers on the firm network.
Limit What You Post
Simple social media posts and updating profiles to reflect jobs or an affiliation is all that is needed for an attacker to trick a user into doing something that they shouldn’t. As always, be wary of what job information is posted on social media. Personal Facebook or Twitter accounts need not be accessible from a company page or LinkedIn account.
Regarding LinkedIn specifically, limit personal information on profiles if not actively searching for a job. This can protect individuals from making themselves and their firm vulnerable to phishing attacks. The safest solution is to have caution when opening or downloading unknown data from an unknown source. Remember that nothing posted on the internet is ever private.