Hackers, hacktivists, scam artists and general bad guys are moving away from the traditional methods of writing software to infect and obtain information.
Instead, there is a growing trend of social engineering attacks being used to steal employee credentials. These stolen credentials are then used to obtain desired sensitive information.
I believe there are three reasons for this change in behavior. First, social engineering attacks avoid the need for costly malware development. Second, some advanced tools can detect malware, no matter how well written and obfuscated the malware is—thus, rendering all that time, effort and money useless. Last, the resources required to execute a social engineering attack are significantly less than a software-based attack.
It is much easier to research a target, execute a series of emails or calls and obtain the credentials of the target. Then, once inside the compromised system, a actor can run a PowerShell script to gather sensitive information and communicate data externally.
What Defines a Social Engineering Attack?
In order for a social engineering attack to be successful, an attacker needs to collect as much information about their target as possible. They need to eliminate all doubt that they are not who they say they are.
How and Where Do They Get This Information?
All the following information can be found by knowing a target’s first name, last name and either their place of work or city. All data is freely available, either on free of charge or free trial basis.
Social Media (Facebook, Instagram, Twitter etc.)
- Date of birth
- Email address
- Location
- Home Town
- Job history
- Education
- Interests
- Political affiliations
- Religious views
- Friends and family
- Vacations
- Life events
- Photos
- History
- Conversations with other social media users
- Work history
- Education history
- Known associates
- Interests and hobbies
- Certifications
- Languages spoken
- Skills
White or Yellow Pages (411.com, whitepages.com, yellowpages.com etc.)
- Address
- Names of other household members
- Known associates
- Phone numbers
- Neighbors’ information
Google Maps (Street View)
- Physical appearance of home
- Neighborhood details
- Vehicle details (if parked in drive)
- Occasionally pets
Online Public Records
- Taxes paid
- Move-in and move-out dates of properties
- Former and current residents
- Schools
- Property value
- Characteristics
- Sales price
- Criminal records
- Court ruling
- Bankruptcy data
Genealogy Sites
- Target’s entire family tree
Online Newspapers
- Obituaries
- Major life events
- Bankruptcy filings
- Other legal filings
Armed with all this information, it can be easy for an attacker to convince an unsuspecting member of support or network admin that they are the mark they simply need their password reset.
The Moral of the Story
Be careful about how much data you publish about yourself and be extra careful about who you share that information with.