If you missed parts 1, 2, 3, and 4 of this blog series, it’s probably worth visiting these links to understand why phishing scams are becoming so rampant. Information about individuals and corporations is readily available and easy to find on the Internet, making it easy for attackers to pull phishing schemes together—and with great success.
None of the bits of information we discussed in previous blogs is particularly dangerous by itself, so most people are not concerned. However, one of the principal tenets of information theory is that each piece of information becomes more valuable as you find more related pieces of information. One bit of low impact information is slightly useful. Two bits of related information makes both more useful. Add three, five, or ten pieces and the value can become inestimable.
What Does a Phisher Need?
Let’s walk through how an attacker can use specific information about individuals and corporations to build a phishing scam. Their first, key objective is to zero in on the correct person within the organization to accept the phishing “hook”. This means finding the names of persons through organizational data research. The attacker’s goal is to identify the people in key positions who have access to the data to be hacked. Barring that, attackers try to find the people who know the people in key positions so they can work their way through the inside network toward the goal. If that doesn’t work, an attacker can also go after individuals at trusted partner or supplier companies, leveraging their relationships and access to find a way in.
Once an attacker identifies the specific individuals, they can psychologically profile them based on their social media postings and affiliations. (In some cases, instead of phishing, an attacker might look for websites that the victim frequents and compromise those sites to plant drive-by downloads.1 This is called a Watering Hole Attack2)
For crafting a phishing email, an attacker can use all the social media postings and organizational information to create the lure. They can go directly at an individual’s interests and friends, like in the example given above. They can also go indirectly and use organizational information and spoof the company’s HR department to ask employees to verify basic information.3 Knowing which individuals to impersonate in HR can help solidify the phishing email.
The attack doesn’t end there. The cyber crook wants to break into the network and probably plant malware to steal data. To make sure the malware works properly, they customize it for the appropriate versions of software running internally and the IP networks in use. In the example used in Part 1 of this blog series, the attacker sent an exploit specifically tailored for the version of software running on the victim’s machine. Sneaking stolen data back out, called exfiltration, is always a challenge, but knowing what internal servers there are and where they’re located can provide an easy roadmap.
What to Do
There’s a limit to what we as security professionals can do to keep people from sharing information on social media. In government agencies, there are more restrictions and education around this kind of behavior (called operational security4). In the private and commercial world, corralling such behavior is much harder. So, security awareness training, citing these examples, is a good place to start. At least users will be aware of the consequences of their sharing and be forewarned to the deviousness of the attacks. Users should also be urged to report any suspicious emails and verify with IT or Security before running outside software or providing their login credentials.
A good resource you can offer your users is this advice from Public Intelligence on how to reduce their online exposure by “opting out”.5 The fewer bits of data attackers can latch onto, the better.
It is a good idea for your security team (or better yet, your threat intelligence team) to periodically scan your own organization or hire a penetration tester. This could give you clues as to who and where attackers will strike first.
Closing the information leakage on your Internet-facing gear is often not hard to do and is recommended. Every door you close denies an attacker another puzzle piece of information. All domain and IP registries should be set up with generic role names and identifiers instead of the names of individuals. Most IT folks do this anyway to reduce potential spam, but it doesn’t hurt to check.
Lastly, contracting with a good penetration testing firm to do reconnaissance and a social engineering test is a great way to see what you might have missed. It’s better to pay and control the results of a mock attack than have to live through a real one.
You can hear Ray talk more on the subject of phishing in his 10/20/2017 podcast with This Week in Enterprise Tech.