Social engineering: How oversharing information can lead to disaster online
Many of us trade personal convenience for security when it comes to using technology. Steve Ragan outlines how social engineers use key information to exploit victims with phishing campaigns and through other attack vectors
By Steve Ragan , Staff Writer
October 24, 2013 — CSO — (NCSAM) — Criminals use a variety of tools and tactics when selecting victims and conducting attacks. But information is the key to any malicious campaign, and the more personal it is, the more value it holds. When one goes about their daily life online, how much information is too much, and what should be protected?
The topic of privacy is often interwoven with security, especially when it comes to awareness programs and operational security (OpSec). Online, it's hard not to share information, because inevitably you'll leave pieces of data about yourself behind as you surf the Web. Some of the information left behind you can control. Some of it you cannot, but OpSec in the context of privacy deals with the types of information you can control directly.
Recently, in a post on ITworld, privacy expert Dan Tynan discussed how Box.com allowed a complete stranger to delete his files. However, while the story discusses the risks of trusting sensitive information to the Cloud, Tynan raised his own risk profile by sharing information that may seem harmless and useless at first glance, but acts like a target to criminals on the hunt.
Last month, the CSO editorial staff was targeted by a phishing campaign. We covered the details of the incident here and here, but the interesting thing behind it was how focused it was, and how the use of a spoofed domain allowed it to bypass the company's spam filter.
Earlier this month, the same thing happened again. An email claiming to be from the Xerox WorkCentre offered a .ZIP file to each of the CSO editors, which was promptly ignored. The scam was simple; it claimed to be a scan from the Xerox machine, and offered us our newly scanned document in the form of an attachment. One of the key reasons the message was ignored was the attachment itself, but the fact that it was addressed to CXO Media addresses that didn't exist only added to its fishy nature. As was the case in September, this email also leveraged aexp.com to bypass our spam filters, taking advantage of the fact that American Express is a commonly whitelisted domain.
In both cases, the spammers were able to target the CSO editorial team, as well as our primary domain, by harvesting the information. Each CSO author has an author's page, with our company email, as well as links to our social media profiles. This allows anyone to gather our contact information, but it also shows the corporate domain name, as well as the company naming convention. The two phishing attacks that bypassed our spam filters used legit email addresses, which can easily be taken from our author's page, and other false addresses on the CXO.com domain, generated with dictionary words.