Most security leaders are acutely aware of the threat phishing scams pose to enterprise security. What garners less attention is the vast amount of publicly available information about organizations and their employees that enables these attacks.
Kaspersky researchers recently examined the different methods cybercriminals use to gather publicly available and seemingly non-threatening information about companies and dox, or attack, them with it. The security vendor found adversaries are putting considerably more effort and resources into gathering data for enterprise attacks than they would in attacks on individual users because of the potentially higher monetary payoffs.
"Public data is the first step to collecting private data," says Roman Dedenok, security researcher at Kaspersky. Contrary to perception, attackers don't always need to hack into systems in order to gain access to an organization's confidential data, he says. It's often easier for cybercriminals to hack an organization using the human factor, Dedenok says. "Cybercriminals can use public information to collect private data and also get access to the company's finances and cause damage to reputation."
Kaspersky found that publicly accessible online sources, including social media platforms such as LinkedIn and Facebook, are the primary and often richest sources of information for phishers and other cybercriminals. Such platforms often reveal the names and positions of employees and key executives such as the CEO, head of HR, and people in charge of finance and accounting.
The information publicly available on these sites — such as a top executive's 'friends' or connections — can help adversaries quickly figure out an organization's hierarchy, an executive's direct subordinates, and other information that can be extremely useful in carrying out attacks. Even seemingly inconsequential data, like an individual's post on Facebook about restaurants, gyms, or places they visit can provide useful fodder for phishing and other social engineering attacks.
Business email compromise (BEC) is one example of the kind of attacks this data can enable, according to Kaspersky. Attackers often use data about individuals and their organizations gleaned from publicly accessible forums to gain a victim's trust. A common tactic is to pose as the victim's superior, fellow employee, or third-party representative to get the victim to take some action; for example, parting with their credentials, stealing sensitive data, or initiating wire transfers to an attacker-controlled account. In February alone, Kaspersky researchers registered a total of 1,646 unique BEC attacks.
Kaspersky found credential leaks, such as those involving improperly configured Amazon cloud storage buckets, to be another big source of helpful data for criminals. In recent years, there has been a significant uptick in these types of leaks, which have resulted in heightened risk for the owners of leaked data repositories.
The Tracking Pixel Threat
Another method common among attackers involves the so-called 'tracking pixel', a technique that mass e-mailers use to know if an email recipient opened the message or not, Kaspersky observed. Attackers often use this utility in emails sent to targeted recipients to gather information on when emails were typically opened and the recipient's email client, IP address, and other data they can use to impersonate another individual in future attacks.
The threat to organizations from such doxing can vary, Dedenok says. "For some companies the loss of a large amount of money may be critical, for others - leak of a private secret information can be disaster," he notes.
Information gathered from publicly available sources can help attackers access data that can later be used as leverage to extort money from victims. If an organization refuses to pay, they could suffer brand damage when the compromised data later surfaces on some criminal forum, he notes.
"Usually this is either extortion of money, or brand and reputational damage," Dedenok says. "There may be exotic cases [where] cybercriminals [might] publish private data in order to lower the company's shares and make money on it."
Kaspersky recommends that organizations establish and enforce a rigid rule prohibiting employees from discussing work-related matters on publicly accessible forums. Employees also need to be made aware of the risks and aggressive tactics that cybercriminals use to gather data that might be handy in attacks against businesses.
"In order for companies to prevent employees from discussing work processes in third-party messengers/social networks, it is necessary not only to prohibit this, but to explain why it is dangerous," Dedenok said. "This is a difficult, but necessary task."