Oversharing information can lead to disaster online

Criminals use a variety of tools and tactics when selecting victims and conducting attacks. But information is the key to any malicious campaign, and the more personal it is, the more value it holds. When one goes about their daily life online, how much information is too much, and what should be protected?

[How to spot a phishing email]

The topic of privacy is often interwoven with security, especially when it comes to awareness programs and operational security (OpSec). Online, it's hard not to share information, because inevitably you'll leave pieces of data about yourself behind as you surf the Web. Some of the information left behind you can control. Some of it you cannot, but OpSec in the context of privacy deals with the types of information you can control directly.

Recently, in a post on ITworld, privacy expert Dan Tynan discussed how Box.com allowed a complete stranger to delete his files. However, while the story discusses the risks of trusting sensitive information to the Cloud, Tynan raised his own risk profile by sharing information that may seem harmless and useless at first glance, but acts like a target to criminals on the hunt.

Last month, the CSO editorial staff was targeted by a phishing campaign. We covered the details of the incident here and here, but the interesting thing behind it was how focused it was, and how the use of a spoofed domain allowed it to bypass the company's spam filter.

Earlier this month, the same thing happened again. An email claiming to be from the Xerox WorkCentre offered a .ZIP file to each of the CSO editors, which was promptly ignored. The scam was simple; it claimed to be a scan from the Xerox machine, and offered us our newly scanned document in the form of an attachment. One of the key reasons the message was ignored was the attachment itself, but the fact that it was addressed to CXO Media addresses that didn't exist only added to its fishy nature. As was the case in September, this email also leveraged aexp.com to bypass our spam filters, taking advantage of the fact that American Express is a commonly whitelisted domain.

[11 tips to stop spear phishing]

In both cases, the spammers were able to target the CSO editorial team, as well as our primary domain, by harvesting the information. Each CSO author has an author's page, with our company email, as well as links to our social media profiles. This allows anyone to gather our contact information, but it also shows the corporate domain name, as well as the company naming convention. The two phishing attacks that bypassed our spam filters used legit email addresses, which can easily be taken from our author's page, and other false addresses on the CXO.com domain, generated with dictionary words.

Names and email addresses alone however do not amount to much in a targeted phishing attack, or one that singles out an entire company or business unit. Attackers will combine that information with details on social media, personal blogs, as well as other sources in order to get the person they eventually address their message to do something -- such as clicking a link or opening an attachment.

[Facebook's new Graph Search features create phishing wonderland]

As mentioned, in Dan Tynan's article, he offered information that raises his already high risk profile (he is a member of the media, and we're targeted quite frequently), by divulging the type of information that seems harmless in passing, but is worth quite a bit to criminals. In addition, he also admits to trading personal security for convenience, a common tradeoff when it comes to the Web.

From the ITworld article:

"Had I lost my day to day files (which I store on Dropbox), I would likely have been unable to complete assignments..."

"I scan all my paychecks and store them (on SkyDrive, not Box.com - fortunately). Our tax form PDFs are all on some cloud storage service, either SkyDrive or Dropbox, as are all our receipts..."

"We scan all our doctors bills and insurance insurance (sic) statements and store them in the cloud..."

Tynan's article ended by reminding the reader that their cloud data isn't as safe as they think, which is especially true when you tell the world what you're using the cloud for.

"This information gives the attacker more material to craft a better phish. When a target user reads an email there is a tipping point where the user decides to trust or not trust the email. The more the target is made to feel the e-mail is legitimate, the more likely the target will become the victim," Trevor Hawthorn, the CTO of ThreatSim, told CSO after reading Tynan's article.

"By contrast, users who are conditioned to be vigilant and skeptical are much tougher to crack. ThreatSim calls these people Smart Skeptics as they use email, social networking and more, but are smart about the impact of their actions as they consume email and information from the Internet."

[Raising awareness quickly: A brief overview on phishing]

Tynan isn't alone, plenty of people share information that they feel is useless in the hands of a criminal, or holds no value. This is why social engineering is so powerful in the wrong hands. In this example Tynan is singled out because his is a perfect example of oversharing information, and why OpSec is important when it comes to how you manage your presence online.

When it comes to protecting OpSec and limiting the amount of information available about you overshare online, awareness is the key. The first thing to remember is that once you post it to the Web, it's there forever, even if you "delete" it.

[9 classic hacking, phishing, and social engineering lies]

Toby Goldberg from MyPermissions.org has additional solid advice to help keep your information private.

"Try to input as little of your real information as possible. Instead of writing in a forum or signing up for an e-newsletter with your official email address, create a separate account for these sort of things. You should even create a nickname for yourself that you can identify with but that cant come back to you," he wrote.

When it comes to social media, Goldberg recommends locking your profile down on places like Facebook, and limiting the amount of personal information shared. Facebook, as CSO covered earlier, is making things easy for those with malicious intent, thanks to "improvements" to their Graph Search. The same policy for information limits and controls should apply to other public accounts such as Twitter, Reddit, Instagram, and Vine (be selective about who, where, and what you film).

Unfortunately, while you can control your privacy with a certain degree online, the process isn't easy, and public records almost assure that you'll never remove it all. This is why it's important to understand what you share, when you share it, and how. Passive sharing, such as what Tynan did, seems harmless at first. But little bits of information add up quick, and that's what criminals use to fool you when they initiate Phishing campaigns.

"People don't usually post sensitive information intentionally to blog sites or social media, although it has been reported users do so inadvertently or accidentally... Comparatively, many apps and services encourage users to allow access to their photos, location information and files to make life easier or to 'share more' with the world," ThreatSim's Hawthorn explained to CSO.

But when such oversharing happens, we asked, how could it be leveraged?

[Study links phishing vulnerabilities to personality traits]

"I would exploit the leaked data and add little "trust tokens" in my email to the target. I want to lower their defenses and make the leap from "suspicious" to "trusted" within the target's head. I would want them to subconsciously come to the conclusion that 'only someone legit would know this about me.'"

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurity

More about American Express AustraliaCSODropboxFacebookSmartXerox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place