Criminals use a variety of tools and tactics when selecting victims and conducting attacks. But information is the key to any malicious campaign, and the more personal it is, the more value it holds. When one goes about their daily life online, how much information is too much, and what should be protected?
The topic of privacy is often interwoven with security, especially when it comes to awareness programs and operational security (OpSec). Online, it's hard not to share information, because inevitably you'll leave pieces of data about yourself behind as you surf the Web. Some of the information left behind you can control. Some of it you cannot, but OpSec in the context of privacy deals with the types of information you can control directly.
Recently, in a post on ITworld, privacy expert Dan Tynan discussed how Box.com allowed a complete stranger to delete his files. However, while the story discusses the risks of trusting sensitive information to the Cloud, Tynan raised his own risk profile by sharing information that may seem harmless and useless at first glance, but acts like a target to criminals on the hunt.
Last month, the CSO editorial staff was targeted by a phishing campaign. We covered the details of the incident here and here, but the interesting thing behind it was how focused it was, and how the use of a spoofed domain allowed it to bypass the company's spam filter.
Earlier this month, the same thing happened again. An email claiming to be from the Xerox WorkCentre offered a .ZIP file to each of the CSO editors, which was promptly ignored. The scam was simple; it claimed to be a scan from the Xerox machine, and offered us our newly scanned document in the form of an attachment. One of the key reasons the message was ignored was the attachment itself, but the fact that it was addressed to CXO Media addresses that didn't exist only added to its fishy nature. As was the case in September, this email also leveraged aexp.com to bypass our spam filters, taking advantage of the fact that American Express is a commonly whitelisted domain.
In both cases, the spammers were able to target the CSO editorial team, as well as our primary domain, by harvesting the information. Each CSO author has an author's page, with our company email, as well as links to our social media profiles. This allows anyone to gather our contact information, but it also shows the corporate domain name, as well as the company naming convention. The two phishing attacks that bypassed our spam filters used legit email addresses, which can easily be taken from our author's page, and other false addresses on the CXO.com domain, generated with dictionary words.
Names and email addresses alone however do not amount to much in a targeted phishing attack, or one that singles out an entire company or business unit. Attackers will combine that information with details on social media, personal blogs, as well as other sources in order to get the person they eventually address their message to do something -- such as clicking a link or opening an attachment.
As mentioned, in Dan Tynan's article, he offered information that raises his already high risk profile (he is a member of the media, and we're targeted quite frequently), by divulging the type of information that seems harmless in passing, but is worth quite a bit to criminals. In addition, he also admits to trading personal security for convenience, a common tradeoff when it comes to the Web.
From the ITworld article:
"Had I lost my day to day files (which I store on Dropbox), I would likely have been unable to complete assignments..."
"I scan all my paychecks and store them (on SkyDrive, not Box.com - fortunately). Our tax form PDFs are all on some cloud storage service, either SkyDrive or Dropbox, as are all our receipts..."
"We scan all our doctors bills and insurance insurance (sic) statements and store them in the cloud..."
Tynan's article ended by reminding the reader that their cloud data isn't as safe as they think, which is especially true when you tell the world what you're using the cloud for.
"This information gives the attacker more material to craft a better phish. When a target user reads an email there is a tipping point where the user decides to trust or not trust the email. The more the target is made to feel the e-mail is legitimate, the more likely the target will become the victim," Trevor Hawthorn, the CTO of ThreatSim, told CSO after reading Tynan's article.
"By contrast, users who are conditioned to be vigilant and skeptical are much tougher to crack. ThreatSim calls these people Smart Skeptics as they use email, social networking and more, but are smart about the impact of their actions as they consume email and information from the Internet."
Tynan isn't alone, plenty of people share information that they feel is useless in the hands of a criminal, or holds no value. This is why social engineering is so powerful in the wrong hands. In this example Tynan is singled out because his is a perfect example of oversharing information, and why OpSec is important when it comes to how you manage your presence online.
When it comes to protecting OpSec and limiting the amount of information available about you overshare online, awareness is the key. The first thing to remember is that once you post it to the Web, it's there forever, even if you "delete" it.
Toby Goldberg from MyPermissions.org has additional solid advice to help keep your information private.
"Try to input as little of your real information as possible. Instead of writing in a forum or signing up for an e-newsletter with your official email address, create a separate account for these sort of things. You should even create a nickname for yourself that you can identify with but that cant come back to you," he wrote.
When it comes to social media, Goldberg recommends locking your profile down on places like Facebook, and limiting the amount of personal information shared. Facebook, as CSO covered earlier, is making things easy for those with malicious intent, thanks to "improvements" to their Graph Search. The same policy for information limits and controls should apply to other public accounts such as Twitter, Reddit, Instagram, and Vine (be selective about who, where, and what you film).
Unfortunately, while you can control your privacy with a certain degree online, the process isn't easy, and public records almost assure that you'll never remove it all. This is why it's important to understand what you share, when you share it, and how. Passive sharing, such as what Tynan did, seems harmless at first. But little bits of information add up quick, and that's what criminals use to fool you when they initiate Phishing campaigns.
"People don't usually post sensitive information intentionally to blog sites or social media, although it has been reported users do so inadvertently or accidentally... Comparatively, many apps and services encourage users to allow access to their photos, location information and files to make life easier or to 'share more' with the world," ThreatSim's Hawthorn explained to CSO.
But when such oversharing happens, we asked, how could it be leveraged?
"I would exploit the leaked data and add little "trust tokens" in my email to the target. I want to lower their defenses and make the leap from "suspicious" to "trusted" within the target's head. I would want them to subconsciously come to the conclusion that 'only someone legit would know this about me.'"