No Detail Too Small – Part 1
OSINT, Social EngineeringSocial media nowadays allows total strangers to know exactly what is going on in people’s lives. We post our children’s birthdays, our relationship status, when/where we vacation, our birthdays, our phone numbers, our email addresses.. the list goes on and on. All of this information can and will be used by malicious attackers during a targeted social engineer based attack.
You might ask what the big deal is about putting this information out for the public to see? Well, lets take a look at a couple real-life scenarios.
The target: a loan officer at a community bank. The hacker’s objective: control the target’s (loan officer) actions in order to gain remote access to the bank’s systems.
In this scenario, the hacker begins in the most logical place – the bank’s website. The hacker is going here with one goal in mind – to obtain bank personnel information – names, titles, email addresses, etc. So the hacker goes to Google and types in the following in the Google search bar: “ABCbankcorp.bank staff”. After performing the search, the hacker sees that the bank has a list of bank employees with their full names, bank titles, and even email addresses.
At this point, the hacker really doesn’t have to do a ton more research. The hacker could send out a spear phished email from the IT Officer of the bank to a fellow bank employee. The hacker could even follow up the email with a direct call to the targeted employee and ask the employee to give them remote access. An attack of this nature could look like the following example:
The hacker sends an email from Jane Doe, the IT Officer, to a loan officer (Jack Jones) of the bank. The email states: “Hi Jack – John from ABC Networks will be calling shortly with regards to a Microsoft patch that needs to be applied to your system. I have already spoken with him and it’s ok to give him whatever computer information he needs – he might need to remote in to your computer as well. Thanks.”
The hacker then calls into the bank and states that his name is John with ABC Networks and he is helping Jane out with some patch work and asks if he could speak with Jack Jones. Upon being transferred to Jack, the hacker states: “Hi Jack, this is John with ABC Networks, we are helping Jane out today and we are applying a new security patch to a few systems today and it looks like yours is one on the list, I know you are busy and this shouldn’t take more than 5 minutes. Jane stated that she was reaching out to all employees on this list, did she happen to speak to you about this or send you an email. We spoke not to long ago and she was about to go into a meeting so I am hoping she reached out prior to that.”
Upon looking in his inbox, Jack confirms that he has received the email and asks what we need him to do. At this point, we are given full access to do whatever we would like.
This scenario sounds simple, and honestly it is. This is why there is risk and a lot of it, when organizations put out employee information like names, titles, email addresses, and phone numbers. Yes, I understand that there are customer relations benefits to this and that it might be nice or convenient for your customers to have that information readily available. But just know, if that information is readily available for your customers, it is for malicious parties as well.
So, what if your organization has removed all employee information from your organizations website? In part 2 of this 3 part series we will begin to look at how hackers will utilize social media to obtain information to be utilized in social engineer based attacks.
Article written by: Chad Gutschenritter