How cybercriminals use public online and offline data to target employees

We post our daily lives to social media and think nothing of making key details about our lives public. We need to reconsider what we share online and how attackers can use this information to target businesses. Your firm’s security may be one text message away from a breach.

How and why attackers target new employees

For example, a firm onboards a new intern and provides them with keys to the office building, logins to the network, and an email address. It’s normal for employees to also have personal email and cellphones. Depending on the size of the firm, if you use multifactor authentication, you also deploy two-factor tokens or applications to their cellphones or provide them with a work phone. The first few days on the job can be hectic, with a lot of new technology to deal with. It can be overwhelming as well as stressful as the eager new hire wants to settle into the job and be accommodating.

It’s also a time that attackers try to take advantage of. They look for eager workers trying to please their new bosses. The other day, my firm experienced first-hand how these attackers go after new hires as they settle into the corporate environment. The emails started innocently enough. An email from someone asking the intern to assist them with a project and a deadline. The email said that they were in a closed-door meeting. The request was that they needed a task completely swiftly. The email ended asking for the intern to “Kindly forward your mobile cell number as soon as possible. “

Susan Bradley

How do attackers learn about new employees? They start with the tools we use to connect in business to make the phish more personal. Monitoring business sites such as LinkedIn, the attackers made the connection between a newly hired accounting intern and a partner at my office. They built the email to look like it was coming from the partner asking the intern to assist them. Once again, they asked them to provide a cellphone number so they could send them a text message.

Three times these emails came into our business email and were not identified as junk email or identified by our mail filtering tools as phishing lures. The email didn’t have enough triggers and it made it cleanly through all the protections of email and endpoint detection and response (EDR) measures we have in place.

Attackers targeted Uber, Twilio employees

The recent Uber breach was apparently triggered because an attacker tricked an admin into approving a fake multifactor authentication (MFA) request. The attacker asked the admin over WhatsApp to provide more information to gain their trust and approve the MFA request. It’s unclear if the attacker used social media tools to gain more information or targeted the Admin or got lucky.

Twilio recently shared that attackers targeted its employees and were able to match employee names from sources with their phone numbers. The attackers were able to make a one-to-one relationship using publicly available databases to target the attacks.

How to mitigate social media-enabled attacks

Rachel Tobac of SocialProof Security confirmed on Twitter that attackers are using business tools to target both larger entities as well as small- to medium-sized enterprises. She recommended that firms no longer list or connect to new hires on LinkedIn and use data-removal services to pull information out of databases maintained by LinkedIn and others.

Having been on the receiving end of data-removal requests, I have found that removal requests might expose more information than was in the database in the first place. A site might only have email addresses, but the data-removal request exposes the user’s full name as well. Consider the reputation of the sites and their track record of data removal. So much information is now online and buried in so many locations that I’m not convinced that we can truly scrub ourselves from the web.

As you onboard new employees, make them aware of these types of attacks and the risks to the firm. Urge new hires to not post about their new jobs or roles or limit the posting to only trusted connections. Employees should know exactly what communication from the firm will look like and what methods will be used. Have your information security team prepare “what if” tabletop exercises to ensure that staff know how to appropriately respond to security prompts. Make them aware that attackers may be targeting anyone in the firm to gain access.

Attackers use data shared in the real world, too

Sharing too much personal information is not just an online problem. Even driving around in our cars we expose a great deal of information. Have a bumper sticker on your car showcasing that your child is on the honor roll? You just broadcast where your children attend school. Got a personalized plate? It’s easier for someone to remember if they want to track you or your car. Got a sticker on your car that you like to ski or any other expensive sport? You may be showcasing that you have expensive equipment in your car, or in your home as well as being away from your house often on the weekends. Have a parking pass or other identification sticker on your car that identifies where you work? Consider how much your car can identify who you are and what you do to someone trying to target your firm.

Too often in technology we are conditioned to go around barriers as best as we can to get the job done. This sets users up to fall for targeted attacks. If attackers know enough about you or your behavior, they can target the attack accordingly. Take the time to not just roll out technological barriers but provide education and training. Remember, if your entire infrastructure can be compromised because a random user makes a bad decision, the problem isn’t necessarily with the user. It’s because you’ve set up your processes to fail and haven’t helped them make the right one.