In Parts 1 and 2 of this blog series (How Phishers Bait Their Hooks…, and How Attackers Collect Data About Your Employees), we saw how easily employees can be taken in by phishing scams, and how simple it is for attackers to pull together information about specific individuals who work for a particular company.
If attackers want to go after a specific organization but need to know which individuals within that organization to target, then they need to dig through corporate and business records. They can start simply with the ownership records, which are freely available over the web, as in this example:
Publicly traded companies have even more information available online from their SEC filings. Here is an excerpt from a recent 8-K filing from F5 about our new corporate headquarters:
Many corporations that have been around for more than a few years have probably been involved in a lawsuit or three. Attackers can pull those records, as well, like this example from now defunct Eastern Airlines:
Like the people search databases we saw in Part 2, there are also aggregator search tools for corporations, such as OpenCorporates, that pull together a lot of this information into a single place.
These sources can help attackers build profiles of individuals and department names, which are powerful tools for flavoring their phishing bait. Scanning a company’s website can also give you clues about business partners and affiliates, for which you can repeat all of these searches.
Your Organization’s Internet Presence
Everyone active on the Internet has an IP address, and IP addresses can provide some basic information about where they terminate and who owns them.
Granted, some of this information can be misleading because IP addresses can trace back to the ISP rather than the actual organization. But, sometimes attackers get lucky. Most of the time, they can uncover where sites are being hosted and gain some basic information about the company’s network configuration.
In addition to the IP address information, every organization with a domain has domain registration information. Like IP information, for most sizable organizations, it’s going be generic and not reveal much that’s useful. But again, sometimes attackers get lucky.