Think of all the publicly accessible information about your business that’s published on the web— from your corporate social media accounts to your very own website.
This readily available information that can be accessed by any Internet user is called open source information (OSINT), and most enterprises have a lot more online OSINT than they realize.
Every Internet mention of your business creates a digital footprint that savvy hackers can use to trick users or (and technology!) into granting them access to private data. And it’s not just your publically-available brand information that you have to worry about— it’s your employees’ OSINT too.
Hackers use both business and employee OSINT to plan clever social engineering schemes, and it’s your responsibility to learn how they do it to protect your team from costly breaches.
Here are 4 ways social engineers may use your digital footprint against you:
1. Social engineers use OSINT to crack passwords and security questions.
Let’s face it, when it comes to password hygiene, many of us ignore recommendations to strengthen them. Despite the education your enterprise pushes around creating stronger passwords, many users It’s easier to use the same short password over and over, and hate being forced to remember those extra special characters and numbers
The issue is, many users choose passwords like their birthdays or pet names— things that are very easy to glean from social media outlets. All a social engineer has to do is find one manager’s Instagram account and click through a few pictures of Fido to guess their corporate login credentials.
The same logic applies to finding security questions, which are equally accessible to anyone with Google. For instance, if an employee chooses the “Your High School Mascot” prompt for their security question, a hacker can simply check their target’s LinkedIn page to find where they attended school and search its mascot.
In addition to being able to guess passwords through OSINT, social engineers use other clevers tactics to scrape passwords— such as “keylogging” by malware injection and accessing data breach websites on underground forums. Learn more about how these attacks happen and how to safeguard against them here.
Looking for some ways to educate your employees about better login protection? Here are 8 password security tips to share!
2. Social engineers acquire leaked passwords from data breaches.
Teaching password strength is a smart best practice, but it only helps when someone knows a username and is trying to guess a password. If a social engineer can get into a database that houses a password, it’s fully exposed— despite how many fancy characters you or your employees used!
Companies small and large keep login credentials in password management tools or even unsafely categorized on spreadsheets and digital documents. If a bad actor can get their hands on that data, they have the world at their fingertips.
You see, many believe that social engineers only care about credit card numbers. They’re those guys scanning wallets without RFID protection at the mall or capturing your cached card data in your Internet browser. But more often, engineers are going after login credentials because they can sell them off for high dollars on the dark web. And we’re not talking about the login credentials of individual users per say— although high profile credentials obviously hold value. Social engineers are often looking to crack a big database and sell the usernames and passwords of thousands (and even millions) of users in a mass breach.
It’s the reason that breaches are getting bigger and scarier, with one of the grandest of all time happening just this year. COMB (abbreviated for Compilation Of All Breaches) is made up of 3.2 billion— yes we said “billion”— emails and passwords.
3. Social engineers develop clever narratives in phishing schemes.
Social engineers get their name for the way they engineer inventive social situations to fool a target into believing a pretext. One of the most common ways they do this is through carefully targeted spear phishing emails. Some hackers send emails with infected links and attachments to mass groups, but these rarely work. Most of us are smart enough to spot these lazy scam messages in our inbox— but when a social engineer really tries, they can personalize their attack and fool the best of us…
OSINT about employees can be used to craft highly-specific phishing messages. Hackers can create lookalike email addresses that are similar to those in your network, especially managers or those with power on your corporate ladder. The engineer’s email address is just one or two characters off, such as firstname.lastname@example.org vs. email@example.com. They can make the sender’s name appear as a manager’s full first and last name to trick the eye into skimming over the email address. At a glance, this message looks legitimate, and workers may grant these clever social engineers whatever they ask for.
A prime example of email spoofing at play was when renowned business expert and Shark Tank host Barbara Corcoran’s assistant routed $388,700.11 to a sneaky social engineer for "real-estate renovations." The hacker mimicked Corcoran’s email address and attached a fake invoice that looked so real, it didn’t raise any red flags! Read about more spear phishing examples here.
Want to read more stories about how social engineers trick companies using phishing attacks? Pick up a copy of Kevin Mitnick’s book, The Art of Deception.
4. Social engineers also use pretexts over the phone.
Social engineers don’t strictly hide behind email. Many realize that connections are made by talking and building a rapport with their targets, so they skip the junk mail filter and give their targets a call.
With the right OSINT research, a social engineer can use insider lingo and other influential tactics like authority, reciprocity, etc. to convince a target to trust them via phone— in what’s known as a voice phishing (vhishing) attack. And of course, let’s not forget that these engineers use charm and charisma to make them seem like a friendly, likeable source.
A recent example of vhishing in action was the 2020 Twitter Bitcoin scam, wherein a 17-year-old was accused of getting the phone numbers of high-access Twitter employees and “social engineering” important login information from them. Just a few phone calls gave him the clues he needed to break into Twitter’s corporate server and compromise the accounts of huge users like Barack Obama and Elon Musk.
How did this young mastermind acquire the phone numbers of top corporate ladder staff at Twitter? We suspect by following a digital footprint online, using extensive OSINT to trick lower-tier employees into sharing private lines of big wigs at the social media network.
Phone-based social engineering attacks have been a growing concern in recent years with more and more employees working from home as a result of the COVID-19 outbreak. Hackers are even sending SMS messages to personal and company cell phones to trick people into clicking infected links and installing malware on their devices. Learn more about vhishing attacks here.
5½ Steps to Avoid Cyber Threats
Social engineering is one of the top two techniques used to compromise corporations, but it’s not the only cyber threats out there.
While there are lots of attack vectors to consider, we whittled it down to 5-½ truly impactful ways you can increase your digital security in our ebook. Download it for free, today.