Picnic and SLNT: Protecting your organization’s people from compromise by safeguarding their personal information

Exploitation through easily accessible sensitive personal information is the single largest threat to companies and their people today. It’s how nearly all cyber-attacks begin and is at the root of all manner of human and organizational compromise. In this article, we look at how Picnic’s platform and SLNT’s technology both work to keep this sensitive information out of the hands of the bad guys.

Our accessible information makes us vulnerable

We all have bits of information about ourselves out there in cyberspace. Some of this data we provide on our own and some of it is taken without our knowledge. Most of us don’t know how much there really is, or where it is all stored, let alone how to remove it. At the same time, nearly all of us carry around devices that are filled with our personal information and continuously transmit and receive wireless signals. And most of us carry credit cards, driver’s licenses, or passports that contain a tag that can electronically communicate our sensitive data.

This situation creates a critical security problem for both individuals and institutions since threat actors now more than ever are harvesting and weaponizing our information to target us and the organizations with which we are associated. 

Whether it’s used for phishing, impersonation, credential stuffing, identity theft, or other malicious actions, our personal data in the wrong hands can inevitably lead to financial fraud, account takeover, ransomware, IP theft, and the like. 

These kinds of attacks are ever-growing in both frequency and sophistication to the point where training and awareness can’t keep up. To effectively mitigate this problem, we must reduce the amount of information that is available about us and, whenever possible, make any sensitive data valued by threat actors inaccessible or unusable in an attack. With a combination of Picnic’s enterprise platform and SLNT’s Silent Pocket® Faraday cage technology with Multishield®, organizations and their people can do just that and stay ahead of attackers.

How Picnic works to secure sensitive information online

Nearly all cyberattacks today happen after an attacker conducts reconnaissance on a target’s public data (known as OSINT, or Open-Source Intelligence) and collects personal information about employees and their networks which is then leveraged to manipulate someone into granting initial access. 

The public information available online about companies and employees reveals to hackers how they can compromise human targets and bypass the most powerful technical solutions.

The only way organizations can reduce a threat actor’s ability to use OSINT successfully against them is to know the extent of their public data exposure, proactively remove sensitive data, and preemptively neutralize any pathways to compromise that their digital footprint reveals. In this way, they can detect and prevent attacks before they happen.

Picnic is the first technology platform of its kind that allows organizations and their people to automatically see and know the full extent of their public data footprint and to preemptively eliminate or neutralize sensitive information that could be used to compromise them. 

The platform provides enterprise security teams with the capability to emulate attacker reconnaissance on the entire OSINT footprint of their organization and its people across the surface web, social media, data brokers, breach repositories, and the deep and dark web. At the same time, Picnic’s technology continuously hunts and flags any sensitive data and PII (personally identifiable information) that would be of value to threat actors, identifies likely human targets and pathways to compromise, and streamlines public data footprint cleansing to prevent attacks.

With Picnic, each and every employee has unprecedented visibility of their exposed personal information online, such as credentials exposed through data breaches, and can automatically neutralize exposed sensitive data before it can be used against them or their company.

Picnic’s technology continuously protects organizations and their employees against a variety of threats including the following:

  • Attacker reconnaissance and resource development
  • Phishing, impersonation, and other forms of social engineering
  • Human compromise and personal exploitation
  • Credential compromise and account takeover
  • Insider threats, either real or impersonated
  • Ransomware and financial fraud
  • Identity theft
  • IP theft

The result for enterprises who employ Picnic’s technology is a workforce that is less accessible and more difficult for attackers to compromise, either at work or at home, because the public information making up their personal attack surface is dramatically reduced. By extension, the entire human attack surface of the enterprise is diminished and the human risk that most often leads to organizational breaches is proactively remediated, leading to fewer attacks.

How SLNT works to keep sensitive information safe

Our devices store a massive amount of private personal and work data including financial information and passwords to our accounts. This poses a huge security risk for both individuals and companies since our phones, laptops, and tablets are always sending and receiving signals. Even when we think they are off, they are still accessible and hackable through WiFi and Bluetooth. 

Whenever we use our devices in a public WiFi area and are connected to an unprotected public network, our personal information is always at risk of being accessed and stolen by hackers, who can then use it against us or our organization. But this is not the only way a bad actor can gain access to valuable information from our devices when we are out in the world.

People who carry or use their devices in a public space with their Bluetooth switched on, for instance, are vulnerable to any cybercriminal in the area with a BlueJacking device, who can then send phishing messages with malicious links to them. If the criminal is also skilled at social engineering, it is only a matter of time before they successfully manipulate one or more users into inadvertently handing over sensitive information or credentials. 

Much worse, however, is BlueSnarfing. This is when a malicious actor uses the Bluetooth signal on a device to pair with it and access the data on it including emails, text messages, photos, contact lists, and even passwords, without a person even knowing. And once an attacker has access to a device, they can then install malware for the purpose of continuously accessing valuable data.

Even if we don’t carry our devices in high-traffic areas and opt to store them in our cars out of sight, a thief can easily use Bluetooth scanning to identify the location of our device and physically steal it during the time we are away from our vehicle. All of the personal and business information on that device is then in the hands of the criminal. 

Our private data can also be harvested from our driver’s licenses, credit cards, and passports by anyone with the right tools to read the RFID tag on them. This form of theft is known as RFID skimming. It’s a kind of digital pickpocketing that only requires an RFID reader and close physical proximity to a victim, which is easy enough to accomplish in public settings such as airports, subways, and stores.

The only way to protect our devices and our wallets from hackers looking to harvest our personal information is to shield them from the wireless and electronic communications that allow them to be accessed and compromised in the first place.

SLNT’s Silent Pocket® Faraday cage technology with Multishield® is trusted by the military, business leaders, travelers, and governments to protect any device from being remotely accessed and prevent RFID tags from being skimmed by criminals.

SLNT solves many use cases and problems for those individuals who travel throughout the world and use internet-connected (IOT) devices with valuable information. SLNT products include device sleeves and faraday bags that allow the user to integrate privacy, security, and health into their daily life and to become undetectable, untraceable, and unhackable.

The wireless shielding technology used in all SLNT products provides instant protection against a variety of threats including the following:

  • Surveillance and eavesdropping
  • WiFi hacking
  • BlueJacking and BlueSnarfing
  • RFID skimming
  • Identity theft
  • Bluetooth tracking
  • GPS tracking, triangulation, or satellite tracking.  
  • Keyless remote entry hacking
  • EMP, solar flare, or static shock
  • EMF radiation

The result for people and organizations who use SLNT’s products is peace of mind knowing their sensitive information cannot be wirelessly accessed, spied on, or stolen when on the go and in public environments. As with Picnic’s technology, SLNT provides a level of protection for individual users that extends to their organizations and makes them harder to compromise.

Utilized together, Picnic and SLNT provide institutions and their people with state-of-the-art defense against a multitude of threats by safeguarding the primary source of the danger: our sensitive personal information.

Essential Guide to Open-Source Intelligence (OSINT)

Exploitation through publicly available information is the single largest threat to companies and their people today.

Known as Open-Source Intelligence, or OSINT, this public data reveals to hackers how they can compromise human targets via social engineering attacks and defeat the most powerful technical solutions.

The bad news for organizations is that the internet makes it easy for attackers to find information about them and their employees to craft convincing attacks.

The good news is that enterprise security teams can also use OSINT for defensive purposes in order to level the playing field and prevent attacks. With companies recognizing the important role this data plays, the global demand for OSINT tools is on the rise, with research predicting a market growth rate of 28.33% between 2022 and 2030. Fortunately, companies can now automatically harness OSINT like never before to protect their people and their assets.

We’ve created this e-book to explain OSINT, how it’s used, and how security professionals can use Picnic’s powerful new technology to take the advantage away from threat actors.

What you’ll learn:

  • What OSINT is
  • The history of OSINT
  • How people collect OSINT
  • The most-used OSINT tools
  • The information people can find with OSINT
  • How cybercriminals use OSINT for social engineering
  • How cybersecurity teams can use OSINT

What is Open-Source Intelligence (OSINT)?

Open-Source Intelligence (OSINT) is information available through public data sources that someone can collect and analyze.

People can engage in OSINT gathering legally using tools that find data on:

  • the “surface web,” including search engines, blogs, and job postings
  • social media
  • databases containing public records

Additionally, malicious actors often use specialized intelligence tools and search engines for finding information on the dark web.

What is the history of OSINT?

Gathering OSINT is not a new phenomenon. However, the information available and the search processes have changed, especially as more people share data on the internet.

During World War II, the Office of Strategic Services established the first Research and Analysis Branch dedicated to collecting OSINT and using it for the war effort. Since then, global military and intelligence services have used publicly available data for their operations.

In the late 1980s, the US military first used the term OSINT, noting its tactical battlefield value. During the 1990s, OSINT became even more important to the US intelligence community, with the 1992 Intelligence Reorganization Act incorporating public information as valuable and the 1994 establishment of the Community Open-Source Program Office (COSPO) within the CIA.

As the internet became more accessible, so did OSINT. From websites with public government data and social media networks, almost anyone can search publicly available data legally and ethically.

Outside the confines of legality and ethics, threat actors use sophisticated tactics to gather data. For criminals, the definition of “public” also includes the dark web where malicious actors share stolen, otherwise-nonpublic personal information like credit card numbers, passwords, and social security numbers.

How do people collect OSINT?

Since OSINT focuses on publicly available information, people can find it using paid and unpaid search methods. Further, their processes can be as simple as a Google search or as complex as creating a specialized tool.

Surface Web
The surface web is the internet that most people use. It’s easy for the general public to search using standard search engines.

Search Engines
When people want to find information, they usually start with generally available search engines. Most people are familiar with how these work. Google’s search engine has become synonymous with looking up facts and data.

  • Google
  • Bing
  • Yahoo!
  • DuckDuckGo
  • Startpage

Blogs
Blogs are regularly updated websites or web pages that people and organizations use to inform readers. An organization’s blog might try to educate readers about topics related to its products or services. A personal blog often shares stories about someone’s interests, like hobbies, books, music, television shows, or movies.

Job Postings
Most companies list job postings on their websites so that interested applicants can find them. Since companies use job postings to attract candidates, researchers can use them to:

  • Locate corporate offices
  • Find Human Resources contacts

Social Media
People and companies increasingly use social media. Many companies have social media marketing strategies that they use to make important announcements, like when they hire a new senior executive or acquire a new company. Similarly, people often share personal stories and information on social media sites.

For example, LinkedIn enables organizations to create digital business networks. However, since the company shares this information publicly, it becomes an OSINT source. As a career-focused social media site, people may be more “trusting” and open to connecting with others.

Some examples of OSINT gathering on LinkedIn include searching by company name for job roles like:

  • Chief executive officer
  • Chief financial officer
  • Account executive

Someone could do a search for account executives at an organization, look at their connections, and then find a senior leadership team member’s information.

Data Brokers/People Search Engines
Data brokers collect and sell personal or corporate data. While they often use public records to aggregate this information, they can also source it privately. As a paid service, they collect data from multiple locations that can include:

  • Census records
  • Electoral rolls
  • Social media
  • Court reports
  • Purchasing history

Some examples of data brokers and people search engines include:

  • PeopleFinderFree
  • Truthfinder
  • Spokeo
  • US Search
  • Whitepages

Custom Search Engines
More technical researchers can build custom search engines. With a custom search engine, a researcher can collect OSINT across multiple social media websites or filter searches by file type.

For example, the Google Programmable Search Engine is a platform enabling web developers to use Google search capabilities on their websites. However, researchers can use this functionality to search across specific websites and take multiple actions. When engaging in OSINT, researchers might create a custom search engine that enables a simultaneous search across various social networks that can isolate each network’s results in their own tab. This streamlines their process, giving them a way to use the collected data more effectively and efficiently.

Specialized Search Engines
Specialized search engines enable researchers to expand their data collection. These provide search options and capabilities that typical search engines lack.

Some examples of specialized search engines include:

  • Wayback Machine: cached website data providing historical information
  • Searx.me: ability to export results and enabling researcher anonymity
  • Exalead: unstructured data to find documents and audio files, including papers or webinars

Caller ID Databases
Caller ID databases enable people to do reverse lookups on phone numbers. While these traditionally only worked for landlines, more databases now provide services for cellular phones. When researchers input a known telephone number, they can retrieve data like:

  • Country
  • Name
  • Carrier name
  • Carrier type

Third-Party Data Breaches
Whether researching legally or illegally, people can find public databases containing information about compromised email addresses and the passwords associated with them.

For example, cybercriminals often post this information on websites like Pastebin. Further, in response to increased data breaches, ethical services now exist, including:

  • Have I Been Pwned
  • Spycloud
  • Scylla
  • Leaked Source
  • Ghost Project
  • PSBDMP

While researchers need an email address to use these services, they provide valuable information by:

  • Confirming that an email address is valid
  • Providing insight into the breach that compromised the email

Since cybercriminals are not held to legal and ethical research requirements, they often download databases of publicly available and stolen databases, then run the data through analytics tools. If they find a username and password for one service, like LinkedIn, they can try those credentials to gain access to a corporate environment.

Custom Tools
Gathering OSINT information from all these diverse locations manually isn’t efficient. Often, researchers create or leverage custom tools. With these tools, they can more rapidly search across all potential locations and search engines.

Dark Web
What people call the dark web is really internet traffic directed through the Tor network that conceals users’ location and network usage. This anonymity makes it more difficult to trace activity back to the user, including websites hosted on the network. Criminal activity thrives on the Tor network because the sites are not hosted on publicly viewable networks.

Download your free copy of Picnic’s OSINT eBook

What Are the Most-Used OSINT Tools?

While threat actors may build their own tools, many ethical researchers leverage pre-existing research tools. Below are some of the OSINT tools often used to uncover publicly available data about people and technologies.

Maltego
Focused on discovering relationships, this gathers data like:

  • Names
  • Email addresses
  • Aliases
  • Companies
  • Websites
  • Document owners
  • Affiliations

It uses several common public information sources, including:

  • DNS records
  • Whois records
  • Search engines
  • Social networks

Then, it provides charts and graphs that uncover the connections between the data points.

Mitaka
Mitaka enables people to research using their web browsers. With the ability to search across more than seventy search engines, it returns information like:

  • IP addresses
  • Domains
  • URLs
  • Hashes
  • ASNs
  • Bitcoin wallet addresses
  • Indicators of Compromise (IoCs)

Spiderfoot
A free tool, Spiderfoot is an application that red teams often use during their reconnaissance activities. Some information that it returns includes:

  • IP addresses
  • CIDR ranges
  • Domains and subdomains
  • ASNs
  • Email addresses
  • Phone numbers
  • Names and usernames
  • Bitcoin addresses

Spyse
Focused on detecting internet assets, Spyse collects and analyzes publicly available data about:

  • Websites
  • Website owners
  • Servers associated with websites
  • Internet of Things (IoT) devices

BuiltWith
BuiltWith provides information about a website’s technology stack and platform. For example, it generates information that includes:

  • Content management system (CMS), like WordPress, Joomla, or Drupal
  • Javascript/CSS libraries, like jQuery or Bootstrap
  • Plugin installed
  • Frameworks
  • Server information
  • Analytics and tracking information

Intelligence X
As an archival service and search engine, Intelligence X enables researchers to obtain historical versions of webpages and leaked data sets, including controversial content.

Some examples of the data that Intelligence X retains include:

  • Lists of compromised VPN passwords exposed on cybercriminal forums
  • Indexed data collected from political figures’ email servers
  • Information from social media site data leaks

Ahmia
Ahmia enables dark web research by making Tor results visible without requiring users to install the browser. However, to open links and results, researchers still need to install the Tor browser to open links and results.

DarkSearch.io
As of January 2022, this service is available only to organizations who request private access. The platform allows researchers to run automated searches of the dark web without requiring them to use .onion versions or install the Tor browser.

Grep.app
Grep.app focuses on git repositories, providing a single search across:

  • GitHub
  • GitLab
  • BitBucket

People use it when searching for code strings associated with:

  • IoCs
  • Vulnerable code
  • Malware

Recon-NG
Recon-NG is a Python-based tool that enables researchers to automate redundant, manual tasks. It offers:

  • Independent modules
  • Database interaction
  • Built-in functions for convenience
  • Interactive help
  • Command completion

Creepy
Another Python-based technology, Creepy is a geolocation OSINT tool that collects data from various online sources, including social media and image hosting sites. Users can

  • Create maps
  • Filter searches based on exact location and/or date
  • Export data

theHarvester
With theHarvester, users can search for:

  • Emails
  • Subdomains
  • IP addresses
  • URLs

It offers both passive search and active DNS brute-forcing capabilities.

Shodan
Shodan is a search engine that both security teams and threat actors use to discover internet-connected devices and services.

The Shodan suite of products includes:

  • Search engine
  • Monitor to track devices
  • Maps
  • Collection of screenshots
  • Collected historical data

TinEye
TinEye is a reverse image search tool that allows researchers to upload images or use URLs. With reverse image lookup, someone can find where a picture was taken so that they can find a physical location.

Metagoofil
With Metagoofil, researchers can scan a domain’s documents and uncover the metadata. The tool provides information about files like:

  • PDFs
  • Word Documents
  • Excel Spreadsheets
  • PowerPoint Presentations

The metadata, or “data about data”, can include information such as:

  • User names
  • Email addresses
  • Printers
  • Software

What information can people find with OSINT?

While all OSINT information is publicly available, most people may not realize what is out there about them and how someone can find it. Even people who think they have a limited digital footprint would be surprised at what OSINT researchers can uncover.

Email Addresses
Today, most people have at least one personal and one professional email address. According to research, 90% of Americans have an email address, averaging 1.75 email addresses each. Typically, people use their email addresses to:

  • Log into social media
  • Access work resources
  • Use ecommerce applications
  • Register for media, like news, professional publication, and streaming services

Usernames
To maintain consistency, many people use the same username across different online services. For example, someone with an email [email protected] might also use jdoe as a social media handle. Further, these are typically the same types of usernames that corporations use for generating user IDs. With this information, cybercriminals can try to connect known usernames to compromised passwords as a part of credential-based attacks.

Addresses
Personal and professional addresses are easily discoverable. On its own, an address may not impact cybersecurity. However, when aggregated with a name or IP address, ethical and criminal actors can use the information to build a relationship with a target.

Phone numbers
When researchers collect and aggregate OSINT, phone numbers become even more valuable. When connecting a person’s name and phone number, someone can spoof, or create a fake version of, that phone number as part of an attack. For example, when a smishing attack sends a text message that appears to come from a trusted contact, the target is more likely to take the action that the attacker requests.

IP Addresses
When someone obtains an IP address, it gives them the ability to do a reverse lookup that gives them a lot of information about the server hosting a domain, including:

  • City
  • State
  • Zip code
  • Open ports

Free threat exposure report

See how a social engineer is most likely to contact you along with how an attacker might attempt to compromise you with Picnic’s free threat exposure report—CheckUp Light.


How do cybercriminals use OSINT for social engineering?

The first step to a successful social engineering attack is to gain a target’s trust or buy-in. People may be skeptical enough to ignore an email from a Nigerian prince, but they’re far less likely to ignore an email from their boss or human resources department.

Cybercriminals leverage OSINT so that they can build their attacks around information that will prompt someone to take an action that’s against their best interests. Further, cybercriminals collect and correlate various data types so that they can build out robust attacks. They rarely just use one type of data, like an email address.

Email Attacks
Phishing, spear phishing, and whaling are all typically email-based social engineering attacks. However, they use OSINT in subtly different ways.

Phishing
With a phishing attack, cybercriminals send out high volumes of fake emails, pretending to come from a legitimate entity. In this case, they really only need the email domain of the entity they want to impersonate.

For example, in a sophisticated attack targeting Office 365 credentials, cybercriminals imitated the domain for the US Department of Labor. They created domains like dol-gov.com, using a legitimate dol.gov domain for replies. The emails sent fake bidding instructions with a PDF that redirected the target to a phishing site where the criminals collected credentials.

Spear Phishing
With a spear phishing attack, cybercriminals might start by doing a LinkedIn search to find someone new to an organization in a high-visibility position, like a Chief Executive Officer (CEO). Once the cybercriminals have this information, they can search LinkedIn for people who will work directly with the new CEO. 

They find the organization’s domain and make a fake, or spoofed, version of it. For example, fakcompany.com would be fakecompany.io. With this fake domain, they create a form that hides the “.io” so that it looks like it’s from the organization’s legitimate domain. 

Building on this, they can then find examples of past statements that the new hire made for the email’s text. They email the form to the targets that they found on LinkedIn, requiring them to supply login credentials when they complete it.  
Between 2013 and 2015, cybercriminals used a spear phishing attack to steal $100 million from Google and Facebook. In this case, they created a fake computer manufacturing company, then sent invoices to targeted employees under the guise of being the legitimate services provider. Instead of paying the real provider, the companies directed the deposits to the cybercriminals’ bank accounts. 

Vishing
Also called “phone phishing” or “voice phishing” attacks, cybercriminals call their targets to deploy the attack. During a vishing attack, cybercriminals will often incorporate pretexting, creating a situation that lures the target into taking action.

Many cybersecurity awareness training modules include pretexting scenarios where someone calls a new employee, pretending to be from human resources. For this attack to work, cybercriminals need to do their OSINT research.

For large organizations that might have upwards of 100 global new hires per week, this scenario provides cyber attackers a significant return on investment. To be successful, attackers need a few different types of OSINT data. First, they need to find people on LinkedIn who recently announced that they joined an organization. Next, they need to find the VOIP data for the organization’s phone system so that they can spoof it. Then, they create a fake HR portal that sends data directly to them. They call the new employees, telling them that to get paid they need to confirm payment data by clicking on a link that they’re sending while on the phone. When the targets enter their credentials, the cybercriminals collect it.

In 2020, attackers compromised 130 Twitter accounts with a vishing attack. Twitter classified this as a phone spear phishing attack, saying that cybercriminals called employees and tricked them into revealing account credentials.

How OSINT Enables Cybersecurity Teams

The good news for organizations is that their security teams can also use OSINT. The information itself is benign. The danger or benefit comes from how someone uses it.

When organizations use OSINT to protect themselves, they can follow the same processes as threat actors. When security teams have access to the same publicly available information that malicious actors have, they can mitigate risk by reducing their digital footprint or implementing additional security controls.

Discover Public-facing Assets
Most security teams leverage OSINT to detect assets connected to the public internet. For example, many security teams use Shodan to detect IoT devices so that they can implement controls or protections.

Locate Information Outside Organization Boundaries
Sometimes, employees share information on social media without realizing that a little personal information can lead to an attack that leads to a breach.

For example, an employee might list their telephone number on LinkedIn. With this information, skilled attackers can implement a successful vishing or smishing attack that could compromise both the personal and corporate accounts of the employee.

When security teams have visibility into this risk, they can implement preventative measures that reduce risk, in this case working with the employee to remove the phone number before it can be leveraged in a social engineering attack.

Identify External Threats
When security teams have OSINT tools, they can monitor dark web forums for stolen credentials that compromise the organization’s security.

According to research, 70% of users tied to breach exposures from 2021 or earlier were still reusing the exposed credentials. Further, more than two out of three people use the same passwords across multiple accounts, meaning a compromised personal password could impact someone’s professional login credentials.

Security teams that can find and link employee personal and professional leaked credentials can use this information to make sure these credentials are no longer being used.

Enhanced Penetration Tests
Penetration tests look for weaknesses in an organization’s security program. As part of this process, penetration testers start with the reconnaissance phase to map out the attack surface of the target. This involves running OSINT, looking for accidental sensitive information leaks across social media, data brokers, and other publicly available data locations. Then they leverage this information to aid their ethical social engineering attacks.

With regular OSINT monitoring, security teams can reduce the number of findings by proactively identifying and mitigating these risks.

Design Adversary Emulations
When security teams engage in adversary emulations, they follow threat actor tactics, techniques, and procedures (TTPs) to test their defensive controls.

For example, when security teams want to emulate a remote desktop protocol attack, they need to follow the same steps that attackers do. Many security teams focus on the steps that attackers take once they gain access to systems because they lack the OSINT visibility to emulate attackers’ social engineering and credential theft capabilities.

When security teams can effectively obtain publicly available data, like information employees post on social media, they can create more realistic emulations. By identifying employees that attackers might target, they can implement controls that proactively address these risks.

For large organizations that might have upwards of 100 global new hires per week, this scenario provides cyber attackers a significant return on investment. To be successful, attackers need a few different types of OSINT data. First, they need to find people on LinkedIn who recently announced that they joined an organization. Next, they need to find the VOIP data for the organization’s phone system so that they can spoof it. Then, they create a fake HR portal that sends data directly to them. They call the new employees, telling them that to get paid they need to confirm payment data by clicking on a link that they’re sending while on the phone. When the targets enter their credentials, the cybercriminals collect it.

In 2020, attackers compromised 130 Twitter accounts with a vishing attack. Twitter classified this as a phone spear phishing attack, saying that cybercriminals called employees and tricked them into revealing account credentials.

Picnic: Automated OSINT Monitoring and Remediation for Enhanced Cybersecurity
Picnic is the first technology platform that allows organizations to fully and automatically harness OSINT for defensive purposes.

The platform provides enterprise security teams with the capability to instantly emulate attacker reconnaissance on the entire OSINT footprint of their organization and its people across the surface web, social media, data brokers, breach repositories, and the deep and dark web. At the same time, Picnic’s technology continuously hunts and flags any exposed data and PII that would be of value to threat actors, identifies likely human targets and pathways to compromise, streamlines external data footprint cleansing, and enhances existing security controls to prevent attacks.

Since attackers have OSINT exposure too, Picnic also monitors for suspicious domains and other attacker infrastructure before these can be leveraged against an organization’s people.

With these preemptive and continuous capabilities, organizations gain an unprecedented level of visibility and control over their OSINT footprint and can substantially reduce a threat actor’s ability to use OSINT successfully against them.

Picnic’s technology marks a decisive moment in the history of OSINT, as it takes away the asymmetrical advantage threat actors have had until now.

Attackers need OSINT to craft their attacks. The public data vulnerabilities revealed during a cybercriminal’s reconnaissance are ultimately what lead to phishing, credential compromise, ransomware, malware, and the like.

Picnic’s platform addresses this problem head-on by providing enterprises and their people with the power to automatically know the full extent of their OSINT exposure, proactively remediate their human risk, and preemptively neutralize the pathways to compromise that their public footprint reveals. In this way, they can detect and prevent attacks before they happen on a scale not previously possible.

SANS FIRST LOOK WHITEPAPER ON PICNIC

SANS First Look Report

Jeff Lomas of SANS discusses the importance of knowing your attack surface from the outside in and how Picnic can help organizations tackle the largest problem in cybersecurity—social engineering.

Just a little bit of exposed personal data can go a long way for a hacker

Hackers today use our exposed personal data against us. More than 90% of the time, cyberattacks are specifically crafted from users’ public data. To a hacker and to cyber specialists in general, this exposed, publicly available information is known as OSINT, or Open-Source Intelligence. OSINT can be any publicly available information a hacker can find on a target, such as data from LinkedIn, Instagram, and other social media sites, data brokers, breach repositories, and elsewhere. Hackers use this data to craft and power social engineering attacks. It is the data that tells the attacker who is a vulnerable and valuable target, how best to contact them, how to establish trust, and how ultimately to trick, coerce, or manipulate them. Social engineering attacks fool people into performing a desired action and criminals use social engineering to lure targets into handing over personal information, opening malicious files, or granting access to sensitive data.

In this post, we highlight some of the ways in which bad actors use our information in social engineering campaigns. Understanding the various ways in which even a limited amount of exposed personal information can be weaponized by social engineers can help us not only become more vigilant and cautious but will hopefully also motivate us to take proactive measures to protect ourselves and our companies before attacks happen.

Hackers need—and harvest!—personal information to craft attacks

In order to identify, choose, and plan attacks against potential targets, threat actors must first conduct OSINT reconnaissance. Hackers have a variety of tools that automate this process. They begin by searching for information and selecting a vulnerable target, and then using the target’s data to create a compelling story that will trick them. The social engineer uses one of several means, such as an email, social media, or a phone call, to contact the target and establish trust. If the communication is convincing enough, the victim will be fooled and unwittingly click a malicious link or give the attacker sensitive information that will be used against them or their company. 

On account of the essential role that public data plays in social engineering attacks, it behooves us to be aware of, and especially limit, the amount of personal information we share online. The larger our digital footprint is, the larger our attack surface is and the more visible we are to social engineers. The more information attackers have on a target, the easier it is for them to craft convincing, and ultimately successful, social engineering attacks. The less visible we are, the less attractive we are to hackers and the less paths to compromise there are to be exploited.

While deleting oneself entirely from the internet in the 21st century is not viable, by carefully manicuring what you share and with whom you share it, you can significantly reduce your visible attack surface and prevent social engineering attacks.

Even a little bit of exposed information can be dangerous

Hackers don’t need much personal information to wreak havoc on your life. They can do a significant amount of damage with just your cell phone number. Typing your number into a people search site, for instance, can reveal your personal information to an attacker in just a few seconds. This information can then be used for social engineering, identity theft, doxing, or other malicious actions, such as taking over your email and other accounts. 

With only your phone number, a hacker can easily determine your email address. They can then contact your mobile provider and claim to be you, route your number to their phone, log into your email, click ‘forgot password,’ and have the reset link sent to them. Once they have your email account, all of your other accounts are potentially vulnerable. This is one reason to avoid using the same username and password across multiple accounts! 

Once acquired, a hacker could also decide to ‘spoof’ your phone number. This makes your number appear on a caller ID even though it is not you. Using this method, a bad actor can impersonate you to trick one of your friends or colleagues, or call you from a spoofed number, one that you may recognize or trust, in an attempt to socially engineer you or to record your voice for use in another scam.

The fact that a hacker can do so much with just a limited amount of information should make us think twice about what we share publicly, even if it’s only our phone number. To see some of your exposed personal data, get your free report below.

GET YOUR FREE REPORT

See your exposed personal data

Exposed data and credential compromise

Hackers can also do a lot of damage with exposed login credentials. Usernames, email addresses, and corresponding passwords become available on the dark web (and the public web!) once they have been involved in a data breach. You can find out if your personal data has been compromised in a breach by checking haveIbeenpwned.com, for example. Whenever this type of information gets exposed, it can leave users vulnerable to credential compromise.

Credential compromise, also known as ‘credential stuffing,’ happens when an attacker obtains a list of breached username and password pairs (“credentials”) from the dark web and then uses automated scripts or ‘bots’ to test them on dozens or even hundreds of website login forms with the goal of gaining access to user accounts. There are massive lists of breached credentials available to hackers on the black market and, since most people reuse passwords across different accounts, it is inevitable that some of these credentials will work on other accounts, either personal or corporate.

Once hackers have access to a customer account through credential stuffing, they can use the account for various nefarious purposes such as stealing assets, making purchases, or obtaining more personal information that can be sold to other hackers. If the breached credentials belong to an employee, the hacker can use that access to compromise a company’s systems and assets. 

Since credential compromise relies on the reuse of passwords, avoiding the reuse of the same or similar passwords across different accounts is critical. Always use strong passwords that are difficult to guess and change them frequently. Additionally, using multi-factor authentication, which requires users to authenticate their login with something they physically have and something they personally know, is a good defense against credential stuffing since an attacker’s bots cannot replicate this validation method. 

Recent real-world examples reveal the dangers of exposed personal data for companies

Companies should be especially wary of the role exposed personal data of employees plays in cyberattacks. Three recent examples that made headlines highlight how just a limited amount of exposed employee information can be used to craft a successful social engineering campaign and breach organizations. 

Twilio and Cloudflare

In August, hackers targeted two security-sensitive companies, Twilio and Cloudflare, as part of a larger ongoing campaign dubbed “Oktapus” that ultimately compromised more than 130 organizations and netted the attackers nearly 10,000 login credentials. In the case of Twilio, the hackers began by cross referencing employee public data from Twilio’s LinkedIn roster (the starting point of most attacks) against existing exposed 3rd party breach data sets (e.g., haveibeenpwnd.com) and data broker data (e.g., white pages). This gave the attackers a list of personal information of employees to target. The hackers then created a fake domain and login page that looked like Twilio’s (twilio-sso.com or twilio-okta.com). Using the acquired personal data, they then sent text messages to employees, which appeared as official company communications. The link in the SMS message directed the employees to the attackers’ fake landing page that impersonated their company’s sign-in page. When the employees entered their corporate login credentials and two-factor codes on the fake page, they ended up handing them over to the attackers, who then used those valid credentials on the actual Twilio login page to access the systems illegally. 

exposed personal data

Although Cloudflare was also targeted in this way, they were able to stop the breach through their use of FIDO MFA keys. Even though they were able to keep the attackers from accessing their systems through advanced security practices, Cloudflare’s CEO, senior security engineer, and incident response leader stated that “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached.”

Indeed, the exposed personal data used to power the Oktapus attacks shows how dangerous even a small amount of public data can be in the hands of a social engineer.

Cisco 

In another example from May of this year, the corporate network of multinational security company Cisco was breached by hackers with links to both the Lapsus$ and Yanluowang ransomware gangs. In this case, the hackers acquired the username or email address of a Cisco employee’s Google account along with the employee’s cell phone number. They targeted the employee’s mobile device with repeated voice phishing attacks with the goal of taking over the Google account. The employee was using a personal Google account that was syncing company login credentials via Google Chrome’s password manager. The account was protected by multi-factor authentication (MFA), however, so the hackers posed as people from the technical support departments of well-known companies and sent the employee a barrage of MFA push requests until the target, out of fatigue, finally agreed to one of them. This gave the attackers access to the Cisco VPN through the user’s account. From there the attackers were able to gain further access, escalate privileges, and drop payloads before being slowed and contained by Cisco. The TTPs (techniques, tactics, and procedures) used in the attack were consistent with pre-ransomware activity.

Uber 

Most recently, the ride-hailing company Uber was breached by a hacker thought to be linked to the Lapsus$ group, who gained initial access by socially engineering an Uber contractor. The attacker had apparently acquired the corporate password of this contractor on the dark web after it had been exposed through malware on the contractor’s personal device. The attacker then repeatedly tried to login to the contractor’s Uber account, which sent multiple two-factor login approval requests to the contractor’s phone.  Finally, the hacker posed as Uber IT and sent a message asking the contractor to approve the sign-in. After successfully exhausting the contractor, the approval was granted, and this provided the hacker with the valid credentials needed to gain access to Uber’s VPN. Once inside, the hacker found a network share that had PowerShell scripts. One of these scripts contained admin credentials for Thycotic [a privileged access management solution]. Once the hacker had access to this, he was able to get access to all other internal systems by using their passwords. 

The Uber hack is a prime example of how, with only a limited amount of exposed personal data and some social engineering, a hacker can easily trick, manipulate, or coerce a human and compromise a company’s systems. See our key takeaways and remediation recommendations.

Limiting exposed personal data to prevent attacks

The examples provided here illustrate some of the common ways our personal information can be successfully weaponized by today’s hackers. It is now more urgent than ever for people and companies to know and manage their exposed public information proactively to help prevent attacks. Attackers are opportunists who care about their ROI. By limiting exposed personal data, it becomes more difficult and therefore more expensive for threat actors to succeed in social engineering attacks. Companies that recognize this fact pattern and take action to protect their employees will be more likely to avoid expensive and damaging breaches.

Cybercrime awareness is no longer enough to reduce risk

People’s perceptions have changed. Not so long ago we thought nothing of kids playing outside all day alone, unchaperoned visits to a friend’s house, walking to school alone – the list goes on. But as times have changed, we have become much more vigilant about personal safety. The same can be said for the online world. The majority of us are well-aware of cybercrime and are generally on our guard for suspicious emails and websites. Yet despite this everyday vigilance, social engineers find ways to take advantage of our online behavior.

Cybercrime: We are already suspicious

When it comes to business IT security, company leaders generally want to establish a strong cybersecurity culture within their organizations. It’s a very natural thing to do. Human resources department training typically focuses on awareness and highlights typical mistakes that open the doors to a business’ systems and data. It shines a spotlight on what it means to be aware. But conducting security awareness training is not enough to reduce risk completely. Why? The truth is that most people are already “cyber aware.” We have all already formed an opinion on cybersecurity, and whom we trust.

Just think about it. How often do you hear a knock on the door these days, except from an unexpected visitor? A generation ago, a ringing doorbell was nearly cause for celebration. Everyone in the house leaped into action in near perfect unison. But people’s attitudes have changed. We are now not just suspicious, but actually distrustful, of people knocking on our door. We are conscious that not everyone who calls to the door nowadays is legit. It’s born out of the fact that we are aware of the many door-to-door scams or have been a victim of a cold caller ourselves. Besides, due to smartphones, we already know in advance if someone is dropping by – anyone else is considered an uninvited caller. In this way, the escalation of increasingly invasive marketing and social networking manipulation, coupled with technology that makes us easier to track and easier to target, has driven a culture-wide sense of security awareness.

The same can be said for cybersecurity. Nearly everyone is aware of the classic Nigerian 401 scam. In return for a few thousand dollars, email recipients are guaranteed several million in return. Word spread already years ago that this, and many others like it, was a scam; and people now ignore such basic scams out of habit. Like the bogus salesmen calling to the door, we already have a heightened sense of awareness, causing us to be more cautious.

Cybersecurity training: Awareness alone doesn’t solve the problem

There is no question that awareness of cybersecurity is high now and has been for a couple of years – and that’s a good thing. The problem is that while cyber security training within an organization is well intentioned, it is solely invested in creating awareness. At this point, however, we are way past awareness. People are already suspicious of bogus email, SMS messages and calls.

The real focus should be on personal attack surface, e.g. the aforementioned data that makes us easier to track and to target. Attention needs to be given to the significance of personal information, the sharing of it and how to defend it. While we are “aware” cybercrime exists, many of us may not fully understand the implications of actions that open the door to cybercrime. This is partially why social engineering and other large-scale data breaches are often so successful – and you only need to look at the stats.

A 2017 Tenable survey found that nearly all participants were aware of security breaches. What the survey also revealed was that many admitted to not taking some degree of precaution to protect their personal data and have not changed their security habits in the face of a public threat. Not surprisingly, another study from Stanford University and security firm Tessian revealed that nine in ten (88%) data breach incidents are caused by employees’ mistakes – and costly ones at that. In 2020 alone, data breaches cost businesses an average of $3.86 million.

So, what, in light of this, are the best steps to start mitigating risk?

Reduce Employee Burden: Recognition of a person’s attackable surface

When it comes to reducing risk through employee training, businesses need to recognize that many people fall into one of two categories:

  1. There are those who are very concerned about personal data security. This cohort want to keep their data safe and do not want anyone “messing” with their personal information. They are already very much engaged with cybersecurity – they are not the problem.
  2. Then there are those who are the reverse. They are not interested in cyber security. They are aware but they don’t feel at risk, and as such are not willing to spend effort on it.

Trying to “convert” the second group of employees to become champions of cyber hygiene or cybersecurity can be, for a want of a better phrase, a waste of time. Until you can put cybersecurity into personal terms for each person, it is nearly impossible to change entrenched habits and opinions.

However, if you can pinpoint which extra-professional avenues of attack are most likely for an individual’s data profile, you may be able to make progress against this skepticism. It’s about recognition of a person’s attackable surface. Concern for one’s own personal safety will always trump concerns for company safety. Or, put in analog terms, you don’t have to convince suspicious people not to answer the phone; you need to convince them not to publish their phone number in the first place. The smarter everyone is about his or her personal data, the more secure the company will be.

Security awareness training is a common corporate exercise – but is no longer enough to reduce risk. By empowering your employees to safeguard their own digital footprints – along with company data – you can start to develop really formidable foes to cybercrime.

Are we thinking about Surveillance Capitalism the right way?

I recently purchased a greenhouse from a well-known catalogue retailer – now I’m swamped with Google and Facebook ads for greenhouse accessories and all manner of gardening paraphernalia. Ever wonder why this happens? The answer is that our data is systematically captured and then used to market to us, in a broad-scale set of processes known collectively as surveillance capitalism – a set of processes that are both pervasive and here to stay. While many of us dismiss the bombardment of ads as trivial, there are those who would argue that we need to be more au fait about this use of our data. While many people debate the intentions of those who conduct and profit from surveillance capitalism, the real concerns may be not simply the amassing of an incredible volume of personal data and its unprecedented synthesis; but moreover, the normalization of the surveillance techniques themselves that can fall into anyone’s hands.

What is surveillance capitalism?

The term surveillance capitalism was coined in 2014 by Shoshana Zuboff – a Harvard Business School Professor. In a book of the same name by Zuboff, she imparts that surveillance capitalism is an economic system centered around the commodification of personal data with the core purpose of profit-making. She states that surveillance capitalism claims our private digital experience as its source of free raw material and translates that raw material into behavioral data. In layman’s terms, surveillance capitalism outlines how commercial corporations – such as Google and Facebook – use data harvested from us to sell advertising, goods, and services. If anything, surveillance capitalism could be described as the business model of the internet.

Big Brother is watching, and we appear to be okay with it

Google pioneered surveillance capitalism – they were the first company to tap into this new form of profit-making. Now, it dominates the market. Tech companies, data brokers and other players continuously capture as much user data as possible not only to predict our behavior but also to influence and modify it so that it can be further used for commercial purposes. With so much to gain from digital data, surveillance capitalism is a trend that has spread far beyond big tech companies. Every bank, insurance company, supermarket, mobile phone operator, etc., now has its own surveillance capitalism strategy in place. Zuboff believes that this surveillance by private firms is a crisis as serious as climate change. She argues that it is a visible power grab that wields enormous economic and political influence. Should we really be more concerned about this state of affairs?

Many of us know and are aware that our data is being taken without our knowledge. We know big companies use data to manipulate us into becoming more predictable and more reliable consumers. As consumers we recognize that privacy concerns must be balanced against other societal goods. Some might say that what they are doing is really just marketing that has been adapted and updated for the digital era.

Many digital companies have been upfront about the trade-offs involved in using their products. Even Zuboff herself notes, “Privacy, they said, was the price one must pay for the abundant rewards of information, connection, and other digital goods when, where, and how you want them.”

It is interesting how the public view of privacy can quickly change based on our perception of who is collecting information and why. Generally, when it appears that we are getting back some perceived economic value, we have a mixed response to surveillance. But when it comes to government surveillance, the public broadly disapproves of invasions of privacy – even though the government utilizes the same core technology and collects the same sorts of data as the private sector. Events like the Cambridge Analytica scandal and Edward Snowden’s historic leak of US surveillance efforts highlighted the risk of political manipulation through data exploitation and reinforced public concerns around government surveillance and inference, weakening public trust.

The real security risk of surveillance capitalism

The morality and legality of commercial and governmental surveillance is often in the news. Less discussed, however, are the increased security risks the surveillance capitalism model creates for companies, governments, and individuals. Commercial and government data troves are, simply put, targets for social engineers. And the wealth of data underpinning surveillance capitalism is not just itself susceptible to attacks: it enables more effective social engineering crimes when accessed, in large part by adopting the same targeting techniques used by cutting-edge marketeers.

Data captured via surveillance capitalism can include details pertaining to finances, personal interests, consumption patterns, medical history, career path – in short, the raw material needed to carry out crimes like identity theft, business email compromise and even extortion and blackmail. It helps threat actors reach users across the web with ease and little oversight, since so much of the synthesis is automated. The bottom line is surveillance capitalism makes it relatively easy for bad guys to get their hands on rich data sets of highly personal information. It provides them with a substantial search facility to find and profile their next target and victim.

Data is not necessarily dangerous by itself. We all leave data trails as we live our digital life. Unconnected bits of data in an ocean of similar data don’t provide much of a foothold to cyber criminals. But surveillance capitalism has created an incentive to be much smarter about the synthesis of data. Now companies (and governments) are pulling all those data trails together to create a fuller picture of ‘you.’ Suddenly, everything is in one place. It is the concentration and rationalization of the data that now provides bad actors an easy way to steal identities and worse.

And the risk doesn’t end there. The science and techniques for surveillance, tracking and synthesis are being constantly improved. These same techniques can easily be weaponized if they fall into the wrong hands. So, whether or not a commercial enterprise has the intent to do harm or manipulate you may miss the larger point. Social engineers are like bees to honey for the data and methods of surveillance capitalism. The real concern is whether the many “well-intentioned” companies now storing gobs of sensitive information can keep your personal data secure.

Surveillance capitalism: The bigger picture

There is no denying that we’re fundamentally willing to exchange some measure of privacy for convenience. We also know that steps, albeit baby ones, have and continue to be taken around privacy and the right to be forgotten. But we also need to acknowledge the bigger issue of surveillance capitalism: it is not immune to surveillance itself and the personal data that it reaps may put us all in danger.

How much control have we given up just to enjoy the digital life?

We all enjoy life in the digital age and the Internet provides us connectivity, efficiency and fun. By submitting some of our personal data into online interfaces, we enjoy significant benefits in the form of services tailored to our needs; from banking to work, ecommerce, transport, dating, social media and everything in between. But, by using our personal information, and sometimes posting it in the public domain, we have created a problem. Who owns this personal data once it leaves your keyboard? And if it is misused, who is the negligent party? It might be you.

A day in the life of data: Just how much information do you give away?

Before the development of computer databases, we had certain expectations about privacy and accepted a certain level of public disclosure of personal information. And it seems this statement still rings true. Americans say they care deeply about protecting their data. Pew Research found that being in control of who can get information about us is “very important” to 74% of Americans. However, when it comes to online, a lot of people do not consider data privacy as an important issue. The irony!

With the advent of social media and messaging platforms we offer information about our personal life freely and voluntarily on a daily basis – and we rarely realize or question it. We regularly post personal (and sometimes compromising) pictures. We share our current location (and indicate where we are not!). We share our relationship status, where we went to school, where we live, work history, birth dates, phone numbers – the list goes on.

And we don’t even stop to think about it. We are too busy reaping the benefits.

“In general, there has never been so much personal information about individuals as readily accessible as there is today with the Internet,” says Kevin Werbach, professor of legal studies and business ethics at Wharton. “However, what most of us fail to recognize is that once content is posted online, it can be difficult to maintain total control over where it is eventually used, shared, or modified.”

Personal or private – data is open to misuse

Many consumers are unaware how their data is used or by whom. They operate with an assumption of trust. But data is regularly leveraged in ways the consumer never imagined. The data a user scatters can be harvested and analyzed to reveal a wide variety of personal attributes that, while seemingly innocuous by themselves, can add up to form a skeleton key that social engineers can use to unlock real personal assets or corporate secrets. Shopping habits, political affiliation, relationship status etc., can all be used as steps in the ladder of a cybercrime.

Adding a sad face to a post about stray dogs, for example, can reveal what charities you might support. “You may not say much about your salary, but your ‘likes’ on brands or restaurants say a lot. Your daily routines and whereabouts can be deduced from your posts – especially if they’re geo-tagged,” says Maria Fasli, Director of the Institute for Analytics and Data Science, University of Essex.

And when it comes to email and messaging services, most of us blindly accept that this information is private. But privacy and the internet don’t go hand in hand. Just who, other than the intended recipient, will receive or have access to the information you provided? Will it be shared with other parties? Is it at risk of being used in ways you did not consent to?

Anita L. Allen, professor of law and philosophy at the University of Pennsylvania and a leading expert on privacy issues, says the core questions raised by misuse of the Internet are not new. “It goes way back to the general problem that people will use personal information that they can collect through surreptitious or open means to advance their interest at our expense. What is new is the ease with which information can be collected and shared, and the ease with which it can be maintained for indefinite periods of time.” So, if we know our online data, both private or professional, can be misused, who is the negligent party? Are you to blame? The more fundamental question is not whether you own your personal data. The real question is whether or not you can control your personal data once it’s out there.

Who owns your personal data and who controls your personal data?

There are definitely blurred lines when it comes to data ownership – and negligence. If you post your social security number online, it’s pretty clear that if something bad happens, you are the negligent party. But when it comes to other personal data shared or communicated, it’s not so black and white.

Way back in the 2006, Kevin Werbach, who already was concerned about data ownership when using third parties, stated, “There’s a difference between putting information on a purely public site, like your own website that’s accessible to anyone in the world, and putting something on a site like Facebook, which is a controlled, private site available only to its members,” Werbach notes. “The question of who owns the information on these sites is a very interesting one. Most have policies saying they have ownership of anything posted there, but clearly that doesn’t give them leeway to do anything they want with that information. And they have privacy policies that impose limits on how they can use that data. But there’s no simple answer as to whether the information belongs to me or to the site.” And that was more than a decade ago.

Personal Data Security: How can we better protect ourselves?

In the early days of eCommerce, it was common for some people to have misgivings about entering their credit card into a website. What has taken a bit more time to emerge, however, is awareness of the Internet’s increasing threat to personal privacy.

Today, the technologies behind websites that collect data have become very sophisticated. But this is a little like when cars first made an appearance. People stepped into these hulking, loud and very fast fun machines and there was absence of speed limits, seatbelts, and not even a thought of an air bag. It took many tragedies to change laws and promote the development of safety technologies to keep us safe. When it comes to the Internet, we are basically speeding down the highway, standing in the bed of a pick-up truck. It has been fun, but now is the time to start thinking about the parameters that will keep us safe. We are in need of digital seat belts and air bags to help minimize risk and misuse of our personal data.

Cybersecurity is a new HR benefit

Cybersecurity has traditionally been seen as a job for IT departments – and most employees assume that cybersecurity is simply a technical issue. But an examination of current threat types shows that social engineering attacks on employees is now a major concern for corporate security. However, protecting employees from social engineering attacks means protecting the whole person – at work and at home. The challenge becomes the line between what is corporate and what is personal. Innovative Human Resources (HR) departments have a solution. Cybersecurity can be a gift to employees, not unlike health insurance. This new benefit further underlines HR’s important role in promoting a healthy corporate culture…including cybersecurity.

Cybersecurity – The role of HR in mitigating risk

It is estimated the financial impact of cybercrime costs the global economy nearly $3 million per minute with 27% of all cyberattacks resulting from employee errors. Many companies are aware that employees are the weakest link in an organization’s cybersecurity. 9 out of 10 times, it is unintentional. Yes, you might get the odd disgruntled employee, but more often than not, employee negligence is the primary source of data breaches. From falling afoul of phishing, to accidental installation of malicious apps and using unsecure networks, the variety and prevalence of cyber-traps are growing daily. Even common behaviors that seem trivial, like shared passwords, lax BYOD habits, remote working, and leaving devices laying around – all can lead to loss of data or even large sums of money.

Since people are a key factor in many cybersecurity-related issues, HR should be involved to minimize the risk. Why? HR is uniquely equipped to humanize and promote security within an organization. Whether it’s through the onboarding process, providing security guidelines or educating employees, the HR department can cover the majority of cybersecurity threats – and your company will be much safer for it. “HR leaders can engage employees in recruitment, culture, and education to boost awareness and adoption of new policies to help IT teams develop a “human firewall” for your organization, turning employees – your greatest security threat – into your greatest asset,” says Marcy Klipfel  of Businessolver.

Some forward-thinking companies already employ the skills and insight of their HR teams to enhance risk mitigation. But as the digital footprint of an individual continues to grow like a ripple effect, and the lines continue to blur between personal and business use of technology, modern cybersecurity requires more than firewalls, antivirus and HR polices. If a business is serious about protecting itself and its employees, it’s time the business started thinking about offering cybersecurity as a HR benefit.

Cybersecurity as an HR benefit

We live in a digital era and, as such, it’s likely that most, if not all, of your employees have a digital footprint. This is normal. Daily, most of us engage in some form of online activity, such as photo sharing, online dating, banking, shopping, gaming, and social/professional networking. Like it or not, these all add to one’s digital footprint. And that’s not all. Others may post photos or information about us online. And then there are search engine histories, smart phone geolocation data, etc.

While an individual’s growing online digital footprint and relentless tracking of all their thoughts and data might not be a problem to them, it may be exploited by those with malicious intent. What your employees do and say online, or how they use digital devices, can make them and your organization vulnerable to a range of security threats. Most hackers are just looking for that one right chance and an employee’s online activities can create an ideal passageway into your company, potentially resulting in unintended, or even catastrophic, consequences.

Unplugging yourself or an employee from the rest of the world is not really an option. But what is an option is that your company can help protect its employees – while protecting itself. While it’s a novel concept, data hygiene management should now be considered the newest employee benefit. Like a person’s health, if things go bad, cybercrime can be very costly for the individual. Like health insurance benefits, cybersecurity benefits reduce the financial risk and give peace of mind.  

Future of cybersecurity

The biggest challenge for HR is explaining the threat of social engineering to individuals while not being perceived as “Big Brother.” Employees can be very wary of privacy, though at the same time may not be very aware of the vulnerability of their personal digital footprint. But everyone is susceptible to cyberattacks and the impact can be severe for both individuals and their employers. The perceived value of cybersecurity as an HR benefit will only increase with time – and with the preponderance of cybercrime. Prescient employers are making moves now to bolster their cybersecurity culture and offer a competitive benefit that will be attractive to employee candidates.

Social engineering: Opportunity makes the thief

It is understandable that, when cybercrime happens to you, you can feel like you were targeted. And you certainly might be correct. However, more often than not, you weren’t originally the target at all. You just provided the best opportunity to the criminal. In most cases, social engineering involves an opportunistic attack that doesn’t – initially – target anyone in particular. Instead, attackers search broadly for weaknesses or vulnerabilities that they can use to mount a more in-depth attack. If they snare a victim in their net, they can then go to work.

It’s nothing personal

Unwanted messages and calls bombard nearly all of us on a regular basis. For most, these solicitations via junk mail, spam email and robocalls are just incredibly annoying – even inducing a bit of eyerolling. Most of the time, we simply hit ignore, mark as spam, delete or toss junk mail in the rubbish knowing that these messages are most likely so-called mass-market scams. Many people are often surprised by the amount of junk or spam they receive, especially because so many of the scams are so obviously illegitimate. But the reason you still get emails from a Nigerian prince offering cash out of the blue in exchange for something is because people continue to fall for such stories. Not huge numbers, but a few. And that’s all it takes to make a profit.

Opportunist attacks are not personalized to their victims and are usually sent to masses of people at the same time. They are akin to drift netters, casting their nets “out there” – whether it’s ransomware, spyware or spam – and see what comes back. The aim is to lure and trick an unsuspecting victim to elicit as much information as possible using SMS, email, WhatsApp and other messaging services, or phone calls. Their motives are primarily for financial gain. They just want money. They don’t have a vendetta against a particular person or company. It’s a virtually anonymous process.

Phishing scams: Opportunity makes the thief

The Nigerian prince story is on the lower end of the scale in terms of a convincing narrative. However, the grammar errors and simplicity in these attacks are actually intentional as they are serving as a filter. They are filtering the “smart” responders out with the goal of refining their list, allowing them to more strategically target their victims. But have you ever stopped to ask yourself why you got the email in the first place? Spam may be a reality, but you are probably getting unwanted attention because you have a wide personal “attack surface.”

Our digital footprint is more public than we would ever imagine. Every time we perform an online action, there is a chance we are contributing to the expansion of our digital footprint. So, while you and I might be aware that the Nigerian princes of the world are not genuine – more sophisticated and successful attacks are also in circulation. If you have a large and messy digital footprint, you are putting yourself on the opportunist radar and are in line to receive more refined and authentic looking queries.

Since cybercriminals are continuously devising clever ways to dupe us in our personal lives, it is just as easy to hoodwink employees into handing over valuable company data. In fact, according to Verizon’s Data Breach Digest 74% of organizations in the United States have been a victim of a successful phishing attack. Fraudsters know that the way to make a quick buck isn’t to spend months attempting to breach an organization’s security, it’s simply to ask nicely for the information they want so they can walk right through the front door.

Opportunity amid a pandemic

With social engineering opportunists tending to take advantage and capitalize on vulnerabilities exposed, the pandemic created ideal conditions to exploit businesses and corporations. In less than a month into the onslaught of the pandemic, phishing emails spiked by over 600% as attackers looked to capitalize on the stress and uncertainty generated by Covid-19. Businesses that were forced to work remotely became more susceptible to opportunists. The pandemic changed the attack surface, Researchers said,“… security protocols have completely changed – firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight.”

To mitigate risk, focus on both threat and vulnerability

The standard corporate security structure is optimized to handle specific, targeted attacks on corporate assets. Unfortunately, social engineering is often overlooked because of the very non-specific nature of it. Attack by opportunity only requires unwitting cooperation by an employee who was not specifically targeted but self-selected simply by clicking on a link.

Social engineering may even be more dangerous in our pandemic-driven distributed work environments. Corporate and personal spheres overlap more than ever and can provide social engineer opportunists more footholds into our confidential lives – both private and corporate. Both individuals and corporate security leaders will do well to shift greater focus on vulnerability reduction to provide less opportunity to social engineers.

Psychology is the social engineer’s best friend

Social engineering cyber-attacks have rocketed to the forefront of cyber-security risk and have wreaked havoc on large and small companies alike. Just like a Renaissance actor drawn to Shakespeare’s genius work, the modern social engineer is attracted to the ever-growing pool of information fueled by data brokers. These criminals ply their trade by exploiting the vulnerabilities of an individual and their tactics are known as phishing, baiting, scareware, and tailgating, just to name a few. What is so unique about the social engineer is that their methods are designed to take advantage of the common traits of human psychology.

Social engineers may simply send phishing emails to the target of their choice, or they could work to build a relationship with the target in person, through conversation, or even through spying. Most victims are only guilty of trust. For example, take the case of Barbara Corcoran, famous Shark Tank judge. She fell victim to a phishing scam in 2020 resulting in a loss of roughly 400,000 USD. The social engineer simply posed as her assistant and sent emails to her bookkeeper requesting renewal payment on real estate investments.

In order to combat social engineering, we must first understand the nuances of the interaction between social engineer and target. First and foremost, we must recognize that social engineering attacks are a kind of psychological scheme to exploit an individual through manipulation and persuasion. While many firms have tried to create technical barriers to social engineering attacks, they have not had much success. Why? Social engineering is more than a series of emails or impersonations. It includes intimate relationship building – the purposeful research and reconnaissance into a person’s life, feelings, thoughts, and culture. The doorway to social engineering success is not a firewall – it is the human response to stimuli. As such, we should analyze these attacks through a psychological lens.

In Human Cognition Through the Lens of Social Engineering Cyber Attacks, Rosana Montañez, evaluates the four basic components of human cognition in psychology centered around information processing: perception, working memory, decision making, and action. Together, these pillars of cognitive processing influence each other and work together to drive and generate behavior. To illustrate by way of example: when driving on a highway, you must first evaluate your surroundings. Where are the cars around you? Is there traffic ahead? What is the speed limit? Next, you must use your working memory to pull information from past experiences. The brain sends out a code; last time there were no cars around you, and you were below the speed limit, you were able to change lanes to go faster. With this new information, you now have a decision to make. As the driver, you use this information, and perform the action of changing lanes.

In the context of cyber-attacks, social engineering is a form of behavioral manipulation. But how is the attacker able to access the complex system of cognition to change the action and behavior of the target? To further dissect cognition, Montañez considers how “these basic cognitive processes can be influenced, for better or worse, by a few important factors that are demonstrably relevant to cybersecurity.” These factors are defined as short and long factors and may be the opening that attackers can leverage to strengthen the success of their attack. Short term factors include concepts of workload and stress. Long term factors evaluate age, culture, or job experience.

In a recent study, researchers evaluated phishing behavior and the likelihood an employee would click a phishing link. It was found that those who perceived their workload to be excessive were more likely to click the phishing email. Cognitive workload causes individuals to filter out elements that are not associated with the primary tasks. More often than not, cyber security is not actively thought about and therefore results in the greater likelihood of being overlooked. This effect is known as inattentional blindness and restricts a person from being able to recognize unanticipated events not associated with the task at hand.

Stress also may be responsible for weakening the ability of an employee from recognizing the deceptive indicators that are present in cyber messages or phishing emails. Other factors such as age or culture, domain knowledge, and experience have anticipatory principles that can determine the likelihood for being deceived. As most would expect, having more cyber-security knowledge and experience in a given job reduces the risk of cyber-attacks victimhood. Similarly, as age increases there is a decrease in risk for cyber-attacks because of job experience and accumulated cyber-security knowledge. However, eventually the impact of age and experience reaches a plateau and inverts when seniors (with less experience in modern technology) become exposed. Interestingly, gender or personality were inconclusive when evaluating their impact on cyber-attack susceptibility.

So how do we go about defending against cyber-attacks and improving the untrustworthy mind? The short answer is we don’t. As the age-old security acronym PICNIC suggests, the Problem exists “in the chair” and “not in the computer.” Across many different studies and the experiences of companies themselves, training methods that ask people to make conscious efforts to defend against social engineering cyber-attacks have been unsuccessful. If technological barriers don’t work and cognitive responses can’t be changed, then what is the answer? The solution requires addressing the condition that attracts the social engineer in the first place – data exposure. Companies that manage data exposure will reduce the attack surface, and thus, take the psychological advantage away from the social engineer.

Ethan Saia

Ransomware: Stealing your data for fun and profit

Ransomware is a form of malicious cyberattack that uses malware to encrypt the files and data on your computer or mobile devices. As the name suggests, the cyber-criminals behind the malware then make demands for a ransom in order to release your data or access to your data.

Typically, you will be given instructions for payment and will in return be given a decryption key. The ransom amount may range from a couple of hundred to thousands of dollars, though you will most likely have to pay the cyber-fraudsters in cryptocurrency such as Bitcoin.

3 Types of Ransomware

Ransomware attacks range from a mild to very serious. Here are the three types most often encountered:

Scareware

Contrary to its name, Scareware may be the least scary of the three. It involves a tech support cyber-scam via rogue security software. In this scenario, you may see a pop-up message on your screen claiming the security software has detected malware on your device and you can only get rid of it if you pay a fee.

If you do not pay, they will continue to bombard you with the same pop-up. But annoyance is the extent of the threat. Your files and device are absolutely safe and unaffected.

Note that legitimate cyber-security software will never solicit its users in this way. Real security systems don’t charge you on a per threat basis. They would never ask you for any payment to remove a ransomware infection. Afterall, you already paid them when you purchased the software. And logically speaking, if you never bought the software, how could it detect an infection on your device?

Screen Lockers

More of a real threat than scareware, screen lockers, can lock you out of your PC entirely. If you restart your computer, you may see a bogus, full screen United States Department of Justice or FBI seal with a message.

The message states that “they” have detected some sort of illegal activity on your computer, and you must pay the penalty fine. It should go without saying that neither the FBI nor any other government entity will lock you out of your device and/or demand money to compensate for illegal activity. Real suspects of crimes, whether perpetrated online or not, will always be prosecuted through legal channels.

Encrypting Ransomware

Unlike the other two, this ransomware mimics real, offline ransoms. In this scenario, cybercriminals snatch your files, encrypt them, and demand you pay a ransom if you wish ever to see your data again.

What makes this variation of ransomware attack so dangerous is once the cyber-fraudsters take your files, no security or system can really restore them. In theory, abiding by the ransom demands will return you data, but there are no guarantees. If they have your data and your money, you don’t have much leverage over them anymore. You can only hope these criminals are true to their word. It’s not a good bet.

How does Ransomware Work?

One of the most common methods to deliver ransomware is via a phishing scam. This is an attack when ransomware comes as an attachment within an email masquerading as a trusted source. Once you download the attachment, the ransomware takes over your computer. For example, NotPetya exploits loopholes in the system’s security to infect it. Some ransomware attachments come with social engineering tools to trick you into allowing them administrative access.

There are several actions ransomware might perform but the most common of them is to encrypt some or all of your files. You will get a message on your screen that your files got encrypted, and you can only decrypt them once you send an untraceable payment via cryptocurrency, usually Bitcoin. The only thing that can decrypt data is a mathematical key – that is in the possession of the cyber-criminal.

Another variation of ransomware attack is known as doxware or leakware. In this form of attack, the hacker will threaten to publically release sensitive data found on your hard drive unless you pay the ransom money. This is less common purely because finding sensitive data is often difficult and labor-intensive for cybercriminals.

Who Can Be a Ransomware Target?

Ransomware attackers choose the victims (individuals or companies) they target using several ways. The combination of the right victim and the loosest security will often drive a criminal’s decision.

For example, cyber-hackers may target universities or colleges because these institutions tend to deploy smaller security protocols. Additionally, they have disparate users relying on a lot of file sharing, making it easier for attackers to penetrate the defenses.

In other instances, some large corporations of organizations are tempting targets as they might be more likely to pay a ransom. For example, medical facilities and government agencies often require immediate access to their systems and files and can’t operate without access to their data.

Law firms and other agencies dealing with sensitive data will be more willing to pay to cover up the news of the ransomware attack on their network and database. These are also the organizations more prone to leakware attacks due to the sensitivity of information and data they carry.

However, even if you don’t fit any of the above categories, do not delude yourself. Some ransomware attacks are automatic and spread randomly without discrimination.

In Case You Are under Ransomware Attack

If you ever fall prey to a ransomware attack, the number one rule to remember is “Never Pay the Ransom.” This is also endorsed advice by the FBI. If you pay, all it is going to do is encourage these cyber-fraudsters to launch further attacks against you or others.

Does that mean you are stuck? Yes and No. You may still be able to decrypt or retrieve some of your infected files using free decryptors such as Kaspersky. However, many ransomware attacks use sophisticated and advanced encryption algorithms that fall outside of available decryptors. Even worse, using a wrong decryption script may further encrypt your files. Pay close attention to the ransomware message and seek an IT/security expert’s advice on what should be your next step or course of action.

An alternate method may be to download security software known for remediation. It will scan your computer to remove the ransomware threat. It is only a partial solution as this will clean up your system from all infections, but you may not be able to recover your locked or lost files.

A screen-locking ransomware attack often leaves little choice other than full system restoration. If this happens, you can always try scanning your computer using a USB drive or a bootable CD.

To thwart a ransomware attack in action, stay extremely vigilant. If your computer is slowing down for no apparent reason, disconnect it from the Internet and shut it down. Once you re-boot your computer (still offline), the malware will not be able to receive or send any commands from its control server. Without a channel to extract payment or a key for encryption, the ransomware infection may stay idle. At this point, download and/or install security software and run a full computer scan to quarantine the threat.

Specific Steps for Ransomware Removal

In case your computer comes under a ransomware attack, you must regain access and control of your device. Here are some simple steps you must follow, depending on whether you use Windows, MacOS, or a mobile device.

Windows 10 Users

  • Reboot your PC in safe mode
  • Install anti-malware software
  • Scan your system to detect the ransomware file
  • Restore your system to a previous state

MacOS

In the past, the rumor was that Macs were “unhackable” due to their architecture. Sadly, this is not the case. Cyber-criminals dropped the first ransomware bomb on MacOS in 2016, known as KeRanger. This ransomware infected an app known as Transmission that, and once launched, copied the malicious files which kept running covertly in the background. After three days of this stealth operation, it encrypted the user’s files.

Apple did come up with a solution to this issue known as XProtect. The lesson learned was that Mac ransomware is not theoretical anymore. However, Mac users are reliant on Apple to come up with solutions if problems occur.

Mobile Ransomware

It was not until the popularity of CryptoLocker in 2014 that ransomware became a common threat for mobile devices. Apps are the common delivery method for malware on phones. Typical mobile ransomware attacks display a message that your smartphone has been locked due to illegal activity and you will have to pay to unlock your device. In case you fall prey to such malware, you must boot your smartphone in safe mode and delete the malicious app to retrieve control.

How to Prevent Ransomware?

You can take several defensive measures that not only help prevent ransomware attacks but other social engineering attacks as well.

  • Keep the security software of your computer’s operating system up-to-date and patched. This simple practice will resolve many vulnerabilities and exploitations.
  • Do not install any software or grant it any administrative rights unless you are sure about what it does with those privileges.
  • Install an antivirus program to detect malicious programs (and apps) in real-time. A good antivirus may also offer you a whitelist feature (where you can allow rights to certain trusted software for automatic execution) to prevent unauthorized software from auto-execution in the first place.
  • Last but not least, back up your files automatically and frequently (preferably in a cloud). It won’t prevent a ransomware attack but it can control the damage and prevent permanent loss of your files.

In any event, in case you are not a tech-savvy individual or company, seek advice from IT and cyber-security experts in your locale. The best experts are up-to-date with current, commonly active ransomware as well as security software you should be using.

Social engineering in the workplace

Everyone is familiar with the case in which the proverbial “little old lady” is duped out of her life savings by a villain contacting her through the phone or email. The “Nigerian Scam” or “Advance-fee Scam” is once such classic scam you may know. The victim is offered a large sum of money on the condition that they help the scammer transfer money out of their country.  

The problem is that just knowing about these classic scenarios gives most people a false sense of security. The thought is, “It would never happen to me!” The first problem with this is that there are many types of these sorts of social engineering attacks that may not be so easy to recognize. The second problem is that most think this only happens at home.

In this article we will refresh our understanding of social engineering. We will review the currently known shapes and sizes of such attacks with a special focus on how they are used on employees in the workplace.

Social engineering: A review

Social engineering is a term that encompasses a broad-spectrum of notorious and malicious activities. The common, defining attribute is the ability to exploit the one weakness every person and organization has: human psychology. Instead of relying on programming and code, social engineering attackers use phone calls, e-mails and other methods of communication as their main weapon. They trick victims into willingly handing over either personal information, or an organization’s proprietary secrets and sensitive data.

Let’s focus on the seven most common social engineering attacks.

1.     Phishing

Phishing is one of the most common techniques. In most cases phishing uses fake forms and websites to steal vulnerable users’ personal data and login credentials. A phishing attempt commonly tries to accomplish one of three things:

  • Obtain sensitive and personal information such as names, date of birth, addresses, debit or credit card number, and Social Security Numbers.
  • Redirect users to malicious websites by creating misleading and shortened links and hosting a phishing landing page.
  • Incorporate fear, threats, and exploit a sense of urgency to manipulate the users into responding quickly without thinking rationally.
2.     Pretexting

As the name implies, in this social engineering attack, the fraudsters focus on creating a fabricated scenario or a good “pretext.” In a basic attack, the scammer typically claims they need certain information from you to confirm your identity. Once obtained, this information becomes the key to stealing your more personal data and/or to stage secondary attacks such as full identity theft.

In advanced pretexting, the target may be corporate. The key piece of information obtained may help them either exploit or abuse a company’s physical or digital weakness. For example, a cyber-fraudster may impersonate a third-party IT auditor and convince the targeted organization’s security team to grant them entrance into a secure building.

Pretexting fraudsters often masquerade as employees, such as HR or finance personnel. Such disguises help them access and target C-level executives. Verizon reported similar findings in its DBIR in 2019.

3.     Baiting

Baiting is somewhat similar phishing attack but is distinguished by the fraudster’s promise to giveaway an item or prize. Often the bait may be as simple as free movies or music downloads but will require the victim to hand over login credentials.

That’s not to say that baiting is strictly an online phenomenon. Baiters will use physical media when required. In July 2018, KrebsOnSecurity experienced and reported a baiting attack campaign that was targeting local and state-level government agencies within the United States. The attackers sent out envelopes that were Chinese postmarked and contained a compact disk (CD) along with a confusing letter. The idea was to exploit victims’ curiosity and have them use the CD containing malware that would infect their computer system.

4.     Quid pro quo

A quid pro quo attack is similar to baiting but whereas baiting promises goods, quid pro quo promises services. As an example, in recent years fraudsters impersonated the United States Social Security Administration. They contacted the targets, informed them there was an error in the system, and then claimed they needed the victims to confirm their Social Security Numbers. The ultimate goal was identity fraud using these credentials.

5.     Tailgating

Tailgating (also known as piggybacking) involves someone without any appropriate authentication following authorized personnel into a restricted area. Often the attacker may impersonate a delivery person and wait outside the target destination. When the unsuspecting employee gains access and opens the door to get in, the attacker will ask them to hold the door for him as well. This type of social engineering attack mostly targets mid-size enterprises as most large companies use keycards for building access.

6.     Watering hole

Just as animal predators wait by their prey’s favorite watering hole, cybercriminals target websites that may be popular with a target demographic in order to attack such visitors. If, for example, someone wanted to target financial services professionals, they might inject a popular financial site with malicious code. Merely visiting the site would compromise the website visitors’ browsers with code that could monitor the activities or even reach deeper into the system and control computer microphones and cameras.

7.     Vishing

Sometimes known as Voice Phishing, Vishing is a type of attack when a fraudster uses advanced IVR (interactive voice response) software on a standard telephone to entice you into repeating your confidential information on a recorded line. Vishing is not only about requesting your data; it crops your voice to over-come any voice-activated defenses that you may have access to within your company or for any services.

A common attacking technique used along with IVR is to prompt a victim to provide passwords and PINs. Each time the victim tries to enter a password or PIN, it will fail and notify the user that it is an incorrect attempt. This will cause the employee to panic and try several personal passwords. Hackers will harvest and exploit PINs and passwords later.

Ways to Recognize a Social Engineering Attack

A social engineering “ask” is often recognizable as one of the following:

Someone asking for assistance

Social engineers are good at using language that instills fear and a sense of urgency in you. The idea will be to rush you into performing an action with no time to think rationally. For example, someone who is urging you to carry out a wire transfer might be a scammer or hacker. Stop, think, and ensure that you will be conducting a legitimate transaction.

Asking for donations

Cyber fraudsters like to exploit your emotions and generosity by asking for donations for a charitable cause over the phone or through emails. They will also give you instructions on how you can send your donation to the hacker’s account. These social engineers may first research social media to learn the types of causes you support to better find a leveraging point.

Asking for information verification

Another notorious tactic that social engineers use is to present a problem that you can solve only by verifying your information. Often the problem requires the victim to fill in an online form asking for your personal information. The messages and form may look legitimate with all the correct branding and logos, but the moment you enter your information, the information immediately goes to social engineers.

Prevention from social engineering

There are five primary ways you can prevent yourself from falling for a social engineering attack:

Know your crown jewels

Learn the specific pieces of information, personal or corporate, that might be valuable to a social engineer or a hacker. Think of this information as the crown jewels. Identifying sensitive information allows you to set up walls to protect it.

In any corporate environment, the specific ‘crown jewels” may be different depending on department or person. Legal, IT and Finance may all have specific areas or sensitive data that others in the company may not have access to or even know about. This means social engineering protection applies to everyone.

Verify identities

Email hacking is a common threat that either imitates or takes control of legitimate email accounts. For example, if there is an unexpected request to take action online, ensure that the person you are dealing with is legitimate by calling that person and confirming that they have sent you the email message in question.

Slow down

Social engineers will go to the extreme lengths to instill panic, fear, and a sense of urgency in you. You must never let anyone rush you or prevent you from taking the time to consider carefully. See any effort to push you to take action quickly as a potential red flag.

Verify before your click

If you see a shortened link such as bit.ly link, etc., be wary. Such links are often used as carriers of malicious URLs or viruses. To verify if the link is legit, check it using a link expander. Search Google for “link expander” to see many resources that are easy to use.

Education

The most crucial and effective preventive measure is subject matter knowledge. Continue to educate yourself on current malicious tactics – they are always changing. If you are a business owner, educate your employees on social engineering threats. The health of your business may depend on it.

A closer look at phishing attacks

Cyber fraud is lurking everywhere across the internet and one of the most effective tactics on victims is “phishing.” Phishing is a term for the use of disguised and misleading emails, text, and instant messages to trick email recipients into believing that they are receiving a message from a trusted source. By posing as a bank, employer, or government authority, the attackers steal personal information and data such as login credentials, Social Security, credit card details, etc.

Phishing attacks can seem innocuous on the surface. An attack might look like a simple email message from the recipient’s company asking them to click on the link or download an attachment. However, when the link is clicked, the user is taken to a fake website where they are asked to take some action, like entering their credentials. Often the “ask” is the download of an innocent looking file which may actually install spyware or malware on their computer.

History and prevalence

Phishing is not a new phenomenon. One of the oldest and most common types of cyberattack, it can be traced back to the 1990s. Over time, users may have become savvier, but phishing messages have become more sophisticated and authentic in presentation. According to Verizon’s Data Breach Report, almost one-third of all data breaches in 2019 were a result of phishing attacks. Ultimately, its proliferation is the result of human trust – something that can be a challenge to firewall.

Phishing attack intent

Most commonly, an attacker will replicate an email that will look like an authentic email from a trusted source. The more convincing the disguise, the more likely they are to succeed. In tandem, the attacker will set up website landing pages that mimic a website that the victim trusts.

The intent is to get recipients of their messages to do one of two things:

Surrender sensitive information

Your personal information is literally the key to riches for phishing criminals. In many cases, attackers simply want your money. How do they get it? They lure you to a false landing page that looks like something your bank may host. If you “sign in” to your bank account in this case, you are really just handing over your bank account credentials to the attacker. Once they have them, it’s game over. They can go directly to your real account and empty it immediately. Millions of such emails are sent annually to would-be victims.

Keep in mind, it not always just about money from private citizens. The same process is often used on the corporate level to acquire secure documents – ideas, financial documentation, legal documentation, product specifications, etc.

Download malware

Malware is all about taking control of the host’s computer for nefarious purposes. And Phishing is the preferred method for malware infections.

A typical malware injection scenario may resemble the following path: The Phishing attacker imitates a company’s HR department and asks the targeted recipient to download an important form or document, such as a job seeker’s resume. This attachment is typically a zip file or a Microsoft Word document with embedded malicious code. In most cases this will be ransomware, code that takes control of the victim’s computer in some debilitating fashion until the users pays the hackers to unlock it. According to a report, 93% of phishing attacks had ransomware attachments.

Types of phishing attacks

There are many types of phishing attacks, and they all have colorful names – but they are all dangerous. Some of the most common:

Spear phishing

Whereas most Phishing targets a wide range of victims, Spear phishing is focused on defrauding a specific individual. Metaphorically, instead of casting a net or dropping a hook to see who takes the bait, the attacker focuses the attack in a personalized way.

Often targeted victim information is gathered through social media sites such as Facebook and LinkedIn. With this specific personal information, the attacker uses spoof email addresses and sends messages that appear to be coming from a trusted source, such as a friend, family member, employer or a co-worker.

For example, a spear-phishing fraudster may target an employee working in the finance department and pretend to be the department’s manager requesting the employee quickly transfer a large sum of money to an account.

Whale phishing

Whale phishing, also known as whaling, is a type of spear phishing that targets high-value individuals, company board members or CEOs. These targets have authority within their organization as well as access to important data.

Being an executive doesn’t mean you are not vulnerable. Note that most board members are not full-time employees, so they often use their personal email addresses for official or business-related correspondences. Personal emails are more susceptible to phishing attacks because they may not provide the same protection offered by a corporate email system. While whaling is a more time-consuming and sophisticated activity than other cyberattacks, if successful, it can reap big rewards for hackers.

Clone phishing

Clone Phishing employs a higher degree of disguise as it uses the content of an actual, legitimate email that contained a link or an attachment and was previously delivered to the victims.

After the attackers create the clone email, they replace the link or attachment with a malicious version or source and send it using a spoofed email address, impersonating an original sender.

These clone phishing messages may claim to be an updated version of the original email or the company resending the original email.

Filter evasion

Here, cyber attackers use images instead of words to make these phishing messages harder to detect with anti-phishing filters. However, more sophisticated filters can identify and recover hidden text within a malicious image using optical character recognition (OCR).

Website forgery

Website forgery uses a JavaScript code to alter the website’s address bar to lead users to malicious websites. Attackers place an image of a legitimate URL over the fake website’s address bar.

Phishing attackers use potential flaws within trusted websites’ scripts against the victims. Such attacks are difficult for a common user to spot without a specialist’s help.

Covert redirect

Covert redirect is where a link appears to be legit but takes the victim to attackers’ website. Typically, victims get an error message during log-in and the site asks them to enter their username and password again.

This type of phishing attack may also redirect the victims to fake websites covertly using malicious browser extensions. Attentive users will notice the malicious URL will be slightly different from the trusted URL.

Voice phishing

Fake websites, fake messages, malicious links, and attachments are not the only phishing attacks plaguing us. Voice phishing uses fake caller IDs that appear legitimate. These calls will ask you to dial a number to discuss an issue related to your bank account. Once you dial the number, it will ask you to enter your card details, your account number and your PIN code to verify your identity. Once you do that, the phone disconnects, and the attackers have your details.

Tabnabbing

Tabnabbing is another technique that takes advantage of multiple open tabs in a victim’s browser. The technique is to open a fake web page silently on the already opened tab in a browser when the user tries to open a legitimate website. The user mistakenly falls for the fake page, considering it to be original, and end up handing out information to the hackers.

Protect yourself from phishing

The best way to protect yourself from phishing attacks is research. Google the terms above and, by looking at samples, familiarize yourself with the hallmarks of fraud, as well as how to verify that you are on a legitimate website.

Some quick tips:

  • Check website URLs for spelling mistakes, especially if the link is mentioned in an email asking for sensitive information.
  • Be cautious about the URL redirects. Links that send you to a different website than what you expected might be a phishing attack.
  • If you have any doubts that the email may not be from the original source, contact them to confirm if they have sent you any message whatsoever.
  • Do not post personal information, such as birthdays, home addresses, and phone numbers on social media. Always set your privacy settings to the highest level possible.

Be cautious

Phishing attacks are a common and ever-present threat. Keep your security tight and never share personal details over email, phone, or in a message. You never know when you are exposing yourself to cyber attackers out there.