Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/30/2021
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Publicly Available Data Enables Enterprise Cyberattacks

Adversaries scour social media platforms and use other tactics to gather information that facilitates targeted enterprise attacks, research shows.

Most security leaders are acutely aware of the threat phishing scams pose to enterprise security. What garners less attention is the vast amount of publicly available information about organizations and their employees that enables these attacks.

Kaspersky researchers recently examined the different methods cybercriminals use to gather publicly available and seemingly non-threatening information about companies and dox, or attack, them with it. The security vendor found adversaries are putting considerably more effort and resources into gathering data for enterprise attacks than they would in attacks on individual users because of the potentially higher monetary payoffs.

Related Content:

Companies See Business In 'Doxing' The Adversary

Special Report: How Data Breaches Affect the Enterprise

New From The Edge:What You Need to Know -- or Remember -- About Web Shells

"Public data is the first step to collecting private data," says Roman Dedenok, security researcher at Kaspersky. Contrary to perception, attackers don't always need to hack into systems in order to gain access to an organization's confidential data, he says.  It's often easier for cybercriminals to hack an organization using the human factor, Dedenok says. "Cybercriminals can use public information to collect private data and also get access to the company's finances and cause damage to reputation."

Kaspersky found that publicly accessible online sources, including social media platforms such as LinkedIn and Facebook, are the primary and often richest sources of information for phishers and other cybercriminals. Such platforms often reveal the names and positions of employees and key executives such as the CEO, head of HR, and people in charge of finance and accounting.

The information publicly available on these sites — such as a top executive's 'friends' or connections — can help adversaries quickly figure out an organization's hierarchy, an executive's direct subordinates, and other information that can be extremely useful in carrying out attacks. Even seemingly inconsequential data, like an individual's post on Facebook about restaurants, gyms, or places they visit can provide useful fodder for phishing and other social engineering attacks.

Business email compromise (BEC) is one example of the kind of attacks this data can enable, according to Kaspersky. Attackers often use data about individuals and their organizations gleaned from publicly accessible forums to gain a victim's trust. A common tactic is to pose as the victim's superior, fellow employee, or third-party representative to get the victim to take some action; for example, parting with their credentials, stealing sensitive data, or initiating wire transfers to an attacker-controlled account. In February alone, Kaspersky researchers registered a total of 1,646 unique BEC attacks.

Kaspersky found credential leaks, such as those involving improperly configured Amazon cloud storage buckets, to be another big source of helpful data for criminals. In recent years, there has been a significant uptick in these types of leaks, which have resulted in heightened risk for the owners of leaked data repositories.

The Tracking Pixel Threat

Another method common among attackers involves the so-called 'tracking pixel', a technique that mass e-mailers use to know if an email recipient opened the message or not, Kaspersky observed. Attackers often use this utility in emails sent to targeted recipients to gather information on when emails were typically opened and the recipient's email client, IP address, and other data they can use to impersonate another individual in future attacks.

The threat to organizations from such doxing can vary, Dedenok says. "For some companies the loss of a large amount of money may be critical, for others - leak of a private secret information can be disaster," he notes.

Information gathered from publicly available sources can help attackers access data that can later be used as leverage to extort money from victims. If an organization refuses to pay, they could suffer brand damage when the compromised data later surfaces on some criminal forum, he notes.

"Usually this is either extortion of money, or brand and reputational damage," Dedenok says. "There may be exotic cases [where] cybercriminals [might] publish private data in order to lower the company's shares and make money on it."

Kaspersky recommends that organizations establish and enforce a rigid rule prohibiting employees from discussing work-related matters on publicly accessible forums. Employees also need to be made aware of the risks and aggressive tactics that cybercriminals use to gather data that might be handy in attacks against businesses.

"In order for companies to prevent employees from discussing work processes in third-party messengers/social networks, it is necessary not only to prohibit this, but to explain why it is dangerous," Dedenok said. "This is a difficult, but necessary task."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36394
PUBLISHED: 2021-06-22
pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux-PAM allows local attackers to set their quota on an arbitrary filesystem, in certain situations where the attacker's home directory is a FUSE filesystem mounted under /home.
CVE-2021-32699
PUBLISHED: 2021-06-22
Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intende...
CVE-2021-32700
PUBLISHED: 2021-06-22
Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. Th...
CVE-2021-32701
PUBLISHED: 2021-06-22
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid an...
CVE-2021-22382
PUBLISHED: 2021-06-22
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. A...