Phish Food: Chumming the Waters on Social Media

Most of us are willing to help others in times of need. We want to trust in others to do the same and generally want to see the best for others. Perhaps the innate desire to trust in and help others is an evolutionary trait humans developed to help us survive, or perhaps we do it simply because of our internal convictions. Either way, more often than not, we want to help others when asked. This is precisely why social engineering attacks are extremely successful methods of infiltrating companies. Whether it’s a phone call to the front desk of an organization trying to get information about those who work there, or an email with an attachment claiming to be an unread fax, most of us let our trust get the best of us which could end up costing the company.

One of the most famous and successful hackers, Kevin Mitnick, relied on social engineering to carry out the majority his hacks. To this day, many hackers are able to gain access to networks and sensitive information utilizing very similar techniques. In fact, many penetration testers will tell you that the easiest way into a network is to simply ask for credentials. This can be in the form of a phishing email, phony website, or, in my experience, even a spoofed phone call from a ‘help desk’ employee.

Before social media, it was sometimes quite difficult to gather enough information about a target to craft a convincing phising campaign. However, with the advent of Facebook, LinkedIn, and the multitude of other social media sites, it is now much easier (no more dumpster diving!). Typically, an attacker will utilize Open Source Intelligence (OSINT) tools to profile an organization. These tools use multiple techniques to scour the Internet for any information pertaining to the target individual and organization. Because many of us today are so apt to share everything on social media, and because these OSINT tools are free and easy to use, the profiling process is much quicker and yields a lot of valuable data.

After an attacker has gathered information about their target, they craft a convincing phishing email. Perhaps the email is spoofed to look like it’s coming from the CEO of the company, asking for their password to be sent to them because they are out of the office and it’s extremely urgent. Or, perhaps the attacker has stood up a website that looks like the victim’s webmail access portal. The attacker then convinces the victim that it’s an “upgraded portal with more functionality” and the victim has been “specially selected out of a handful of people to help test it.” No matter the vector of the attack, the end goal is the same: steal credentials.

Let’s stop making it easy for attackers and start utilizing the same tools the hackers use to get a better idea of what’s out there. First and foremost, if at all possible, do not share any information about the organization you work for on social media (this includes LinkedIn). Also, try to avoid listing your corporate email address anywhere on the internet. Go through each of your social media profiles and beef up the privacy settings to ensure that none of your details are available publicly. Then, Google yourself. See what comes up. Many times you will find data that may have been published years ago that you simply forgot about, just make sure to go back and clean it up. Finally, after you feel that you have sufficiently erased yourself from the Internet, run some OSINT tools on yourself and your organization. The three tools that I like to use are Maltego, FOCA Pro, and Shodan.

While social media is a great tool to keep us connected in both our personal and professional lives, it can also be a tool used by attackers if your privacy settings are configured properly. Let’s stop chumming the waters for phishing campaigns and be more cognizant of what we are sharing online. By over-sharing, we are putting both our personal and corporate assets at risk.