As human beings, we are our own worst enemies. Despite the growing demand for data privacy and resulting legislation, individuals continue to share an overwhelming amount of highly detailed personal information on publicly accessible and social media sites — without hesitation. This proliferation of personal information is a goldmine for attackers targeting humans using social engineering, and social media is the motherlode of opportunity as people readily disclose everything that even the most novice hackers need to know to create highly effective, deceptive, and targeted social engineering attacks. While the first post in this social engineering attack prevention series covered the basics on these kinds of attacks, this blog asks that you think like an attacker as it dives into greater detail to reveal how hackers create profiles for targets of social engineering attacks including the types of targets, the sources and sites attackers use to harvest individuals’ data, as well as the tools and techniques attackers use to create detailed profiles of their targets.
Types of Social Engineering Attack Profiles
Generally speaking, targets of social engineering attacks can be segmented into a few main profile categories:
- Generalized broad-scale attacks targeting the general population by impersonating popular brands like PayPal, Amazon, etc.
- Semi-sophisticated attacks against the general population that may use the context of the corporate environment to gain access to either internal or external company systems.
- Highly personalized and sophisticated attacks against C-Level or high value targets in a corporate environment to gain access to systems and/or other people.
Targets of Generalized Attacks
The main goal in targeting the general population is to gain access to individuals’ bank accounts, credit card numbers, passwords, and more. Generalized attacks tend to be fairly generic and lack the detailed personalization seen in more sophisticated attacks because the attacker employs a strategy of quantity over quality, launching massive campaigns that may target hundreds of thousands of individuals. And while the dollar amount captured from each victim is on the lower end — hundreds of dollars vs millions — attackers will amass a larger payout based on getting a lot of victims to fall for the bait. In these cases, it’s far more effective for them to purchase a list of email addresses through a data broker and send out mass emails or texts than it is to construct a more detailed profile using any number of the different Open-Source Threat Intelligence (OSINT) tools available.
Targets of Semi-Sophisticated Attacks
Similar to the generalized attacks, the semi-sophisticated social engineering attacks target the general population with the goal of either gaining access to individuals’ bank account details, credit card numbers, passwords, etc., or as the first phase of an attack to breach a network. These attacks, however, get more personalized and may use the context of a corporate or professional environment to bait the victims. In these cases, an attacker may put some effort into scraping some high level details from LinkedIn like a person’s employer, job role, colleagues and other connections. Armed with these details, they impersonate the individual and attempt to trick a colleague into divulging sensitive information on the individual being impersonated. For example, an attacker may impersonate an employee and make a request to whomever is in charge of payroll to change their personal bank account information used for direct deposit. As the request fits the context of each person’s role, it doesn’t raise any suspicions and has a good probability of success depending on what policies an organization may or may not have in place to verify such a request is truly coming from the actual employee.
Targets of Sophisticated Attacks
The most critical social engineering attack targets are the C-Level and high value targets at the enterprise level because this is the attacker’s potential jackpot — well worth the time and effort it takes to build detailed profiles for their social engineering attack targets. The most likely targets include those with perceived access to financial, technical, IP and other sensitive systems, where the payoff could be significant and worth considerable investment in time to create highly personalized attacks based on the individual’s publicly available information. The key to these types of attacks is using enough relevant contextual information to deceive and fool the target into believing that the attack is a legitimate text/SMS, email or other communications and to RESPOND.
Data Harvesting: Where Do Attackers Get My Data?
Online or offline, your publicly available data can be discovered in more places than most people realize — or even think about. From social media to voter registration to property records and more, below are some of the most common areas attackers turn to for building profiles of their social engineering attack targets.
- Social Media. Twitter, Facebook, LinkedIn, etc., hold a significant amount of user data, including personal information, browsing history, and activity data. It’s important to note that for C-Level/VIP targets, LinkedIn provides nearly all of the information needed for highly effective social engineering attacks. A committed attacker can certainly enrich their target profile data from other sources, such as the OSINT data described below, but in many cases, LinkedIn alone provides more than enough information for highly effective attacks.
- Public-Facing Web Servers. Websites that hold information about various users and organizations, such as government websites, online forums, and other publicly accessible platforms, can be a source of data for harvesting. This data can include information such as contact details, employment history, and other publicly available information.
- Newsletters and Articles. Data harvesting can also take place through newsletters and articles, where user information is collected through sign-ups or other forms of subscription.
- Code Repositories. Software and code repositories like Codechef, Github, also hold a lot of information, although the information visible to users are usually limited to the data related to the project being searched or the software package being used. However, this data might include sensitive information about an organization and its operations.
- Dark Web. The dark web is only accessible through darknets. Darknets can be small peer-to-peer or friend-to-friend networks, as well as large networks like Tor and I2Ps. Many sites on the dark web host illegal content.
How Attackers Use Open-Source Threat Intelligence (OSINT) for Profiling
Open-source threat intelligence (OSINT) refers to the practice of collecting, analyzing, and disseminating information from publicly available online or offline sources and may be free of cost, purchasable or obtainable by request. Cybersecurity professionals use OSINT to identify vulnerabilities and potential attack vectors to improve security measures. Unfortunately, it’s open-source and publicly available so attackers use it in the exact same way except their goal is to breach the network perimeter before a defender can protect it. Below are some of the OSINT tools that can be used to build profiles for social engineering attack targets.
- Searching Metadata and Code. OSINT tools are designed to search and extract metadata and code from various websites, software, and code repositories. Metadata is data that describes other data, and code is the set of instructions that make a program or application function. This data can include information such as the creation date, last modified date, and the author of a document or file.
- Researching Phone Numbers. OSINT tools can assist in researching and identifying phone numbers, such as tracing a phone number to its owner or determining the location associated with a particular phone number.
- Investigating People and Identities. OSINT tools are used to investigate people and identities, for example searching for information about a person’s background, employment history, or other public-facing data. This can include searching for an individual’s social media profiles, public records, and other publicly available data.
- Verifying Email Addresses. OSINT tools can be used to verify email addresses and determine if they are legitimate or not. This is done by searching the internet for the email address and looking for any associated data or history.
- Analyzing Images. OSINT tools can assist in analyzing images to extract information, for example geolocation data, by using image processing and analysis techniques to identify features in the image and comparing them with known data.
- Detecting Wireless Networks and Analyzing Packets. OSINT tools also can assist to find wireless networks in the area and analyze packets that are transmitted over these networks, this can be useful to identify if a device is connected to a specific network or if there is any vulnerable communication. This information can be used for penetration testing or to protect against malicious activity.
What Specific Tools Do Attackers Use to Harvest Data for Target Profiles?
While there are many different tools available for scraping data from public sources for social engineering targeting, most attackers focus on Google and social media because they’re free, and they offer every necessary detail to create their target profiles – employer, job role/function, geographic location, colleagues, areas of expertise, professional associations and interests, etc.
- Google: One of the most widely used search engines for finding publicly available information.
- Social Media: Twitter, Facebook, LinkedIn, etc.
- Shodan: A search engine for finding internet-connected devices and information about them.
- Maltego: A tool for visualizing and analyzing data from various sources.
- Recon-ng: A web reconnaissance framework.
- TheHarvester: A tool for gathering email addresses, subdomains, and other information about a target domain.
- Metagoofil: A tool for extracting metadata from publicly available documents.
- Intelligence X: A search engine for deepweb, darkweb and surface web that enables you to search for various types of information such as e-mails, hashes, IPs, domain names and more.
- TinEye: Reverse Image search engine to find where an image came from, how it’s being used, if modified versions of the image exist, or to find higher resolution versions.
- CheckUsernames: It can be used to find out if a particular username is already in use across a wide range of social media and other online platforms.
From the novice hackers sending mass phishing spam emails to the sophisticated cybercriminal operations, the human attack surface will always be a prime social engineering attack target — with or without the use of social media. Understanding the types of targets and the tools and techniques used by attackers is crucial in preventing and protecting against these types of attacks.