How is personal information used to strengthen phishing or ransomware attacks?

Risk vs reward is greatly increased when targeting a CEO, compared to a generalised phishing campaign, and will require different reconnaissance methods. For a more generalised phishing campaign, the threat actor would require as many internal e-mail addresses as possible, whilst in comparison, when targeting the CEO, they may only need certain selective information. We will now consider several scenarios to outline how personal information could be gathered.

Scenario 1 – Spray ‘n’ Pray Approach

The target in this scenario has a high school education and has been working ever since for a pharmaceutical company. The company uses the same format for all their e-mail addresses - firstname.lastname@pharmaceutical.co.uk. This is an extremely common format making it much easier for an adversary to identify target e-mail addresses. The question for the adversary now is the content of the e-mail. Their aim is for this individual to send a bitcoin payment, and they take the random approach of sending an e-mail telling the individual to follow the link as their student loan payment is overdue. In this instance, the employee receives the e-mail and instantly realises it is fraudulent as they were never a university student and reports it as spam.

Scenario 2 – Informed and Targeted

Based on their previous unsuccessful attempt, the adversary now takes the time to understand the target. They have the target’s name from their e-mail address, and they are able to identify that the employee uses Instagram, using their full name as their handle. An open profile allows the adversary to now gather information around specific online purchasing preferences, and the employee posts regularly about one retail brand. Multiple photos show the employee presenting their new items with the brand logo on the packaging. A simple timeline analysis leads the adversary to conclude this happens every Friday. The phishing e-mail content now takes the form of a failed payment, suggesting once payment is confirmed the item will be shipped by the courier. By producing a simple mock-up of an original payment page, the adversary has a successful result.

Scenario 1 vs Scenario 2

The first approach requires very little input from an adversary and revolves around one e-mail template and a scrape of all known e-mails belonging to the target company. The success rate for this is likely to be much lower. Scenario 2 requires greater investment to analyse the target and the publicly available personal information. So why would a threat actor invest the additional time? The simple answer is, where the reward is likely to outweigh the investment. Targeting a C-suite executive such as the Chief Financial Officer (CFO) is an example of this. This individual is much more likely to have greater access to company sensitive information and payroll information.

Scenario 3 - Targeting a C-Suite Individual

When targeting a c-suite individual, an adversary would likely begin with LinkedIn. After a quick scrape of a LinkedIn profile, they could likely gather personal information including a name, job title, company, approximate location, and a description of their experience. Profile photos are also nearly always present. This information, combined with an email discovery tool or a manual website trawl, is likely to return the e-mail format used by the company, and could even yield other personal social media accounts. ‘Google dorks’, advanced search methods in Google, can assist in helping to find these details as well. Most accounts use the format of first name initial and last name, or a variation of this, and tools can help with permutations of potential usernames.

Further to this, social platforms such as LinkedIn often display connections. Connections are important in the corporate world - building relationships, a network, and becoming known amongst peers can drive your career and business forward. However, by displaying this information publicly on your profile you could be assisting an adversary in building a strong phishing campaign, and in identifying which of your contacts to target.

A combination of this information would allow an adversary to build up a strong profile of a c-suite individual. This information could then be used to create an extremely credible phishing campaign, targeting either the individual or their employees. We often see examples of fake emails impersonating a c-suite individual to their team, requesting a transfer of funds, or asking them to download an attachment to help with a task.

What steps can individuals take to protect their privacy online?

So, what can you do to reduce the risk of threat actors accessing your personal information? What steps can you take as an individual and as a business?

1. Websites

Websites should be limited to business related information only to reduce the ability of an adversary to collect personal information on employees. You could consider whether you need to have email addresses and phone numbers listed for all employees, or whether a contact page form could serve the same purpose.

2. Email settings

As well as this, there are technical settings that can be implemented to reduce the number of phishing emails reaching an employee inbox.

Sender Policy Framework (SPF)

This is used to prevent domain spoofing by restricting who can send emails from your domain. It requires a policy framework, authentication method and specialised headers. A risk of using SPF as an isolated measure is that the message source is not validated.

Domain Keys Identified Mail (DKIM)

DKIM is used to verify the source of the email and to ensure its content has not changed in transit. By using this email security, standard spoofing an email from a trusted domain, which is a popular technique in phishing, is made harder.

Domain-based Message Authentication Reporting & Conformance (DMARC)

This ties the SPF and DKIM together with a consistent set of policies also linking the sender's domain name to what is in the ‘from:’ header of the email.

3. Be aware of who you connect with online

If you do not already know the individual behind a new connection request, take the time to do your due diligence. A fake entity could have been set up to gather information about the target, you! Regardless of your privacy settings, a threat actor will have greater access to personal information if they are part of your network. You bolted the door (set a password), locked it with multiple keys (adjusting privacy settings), but by accepting an unknown request you let the first person who knocked on the door into the house. Intelligence tools can be leveraged, and with little human input it is easy to be provided with trends, topics of interest, even potential sleeping times of the user!

4. Securing the login process

You should take steps as a company or as an individual to strengthen the security of your login process. Top tips include downloading a Password Manager such as 1Password and introducing a Multi-factor Authentication platform or application.

5. LinkedIn privacy settings

Estimates show that 90 percent of useful information acquired by intelligence services comes from public sources. A single profile can provide:

• Name
• Date of Birth
• Friends and Connections
• Work Address
• Home Address
• Vehicle
• Pattern of Life – Working hours, sleeping hours, travel times and travel means as well as route taken
• Political Leaning
• Hobbies
• Topics of Interest
• Potential earnings/statistics from an influencer profile

It could therefore be useful to review your privacy settings, which can be found by clicking your profile image in the top right, and under Account you will see “Settings & Privacy”.

Areas to review:

1. Due diligence on connections

• Click communications from the left navigation bar
• Review the sections under “Who can reach you”

2. Hide your activity

• Click your profile image in the top right
• Click Settings & Privacy
• Choose Privacy
• Next you should see Profile Viewing Options
• By choosing “Private Mode” others will not be able to see your activity feed or know you viewed their profile.

3. Data privacy & advertising data

• Review how LinkedIn uses your data, and which third parties also have access to it.

4. Limit contact information in your profile as well as when you visit others (Mobile / Home Address should be a no)

• Click Visibility from the left navigation bar
• Edit the profile viewing options (Adjust what people see when you visit their profile)
• Edit your public profile
• Who can see or download your e-mail address
• Who can see your last name (Is it necessary to have your last name on there?)

5. Account Access

• Review your active sessions and where you are signed in. A device you may no longer have you forgot to wipe may still have access.
• This is where you will also find Two-step verification

Apply the same thought process from LinkedIn across any social platform. Limit publicly visible information, carry out due diligence, check how your data is being used and review your sign ins.

6. Usernames

Using a more obscure username will undoubtedly increase the time it takes someone to find any social media you are using. However, using the same social media handle across all of them will do the contrary.

7. Training

Instil a security culture through training. Introducing a training programme will help employees to be able to spot and report a phishing or ransomware attack email.

Final Thoughts

The best advice is to be security aware with any decision you make. If you opt to hide your date of birth from a company registry record as a protection measure for example, but then post a public photo on social media celebrating your birthday, it defeats the object. Every data point you provide is a breadcrumb of information to something greater and could leave you vulnerable to a credible phishing attack.

If you have any questions about this blog, please do get in touch.