Unmasking the Bogeyman – how hackers use cyber -intelligence and profiling to breach your network / device

Profiling: What It Is and How to Avoid It

The number of breaches and issue over the last few years have helped security professionals prove that the bogeyman is indeed real and that there are many real threats to organisations.

Just knowing about them is not enough, we need to be able to measure and quantify these threats in the context of our organisations. This is true for both emerging and realised threats.

As cybercrime is all about monetary gain, attackers know that the more intelligence they gather about their targets the easier it is to achieve a compromise. On the other hand, most people voluntarily share large amounts of personal information on social networks without fully appreciating the risks. In this post, we’ll find out how hackers use social media to profile targets and how you can protect yourself and your business.

What is Social Media Profiling?

Social media is all about sharing, whether it’s photos from the latest conference, overseas holiday or an important life event, or just trivia about your daily routines, the name of your pet cat, favourite soccer team or TV show; it’s all data that has value to someone. That someone may be a company that wants to sell you a new brand of cat food or an advertisement for a new season of that great TV drama, or it may be cybercriminals engaged in a spear phishing attack. The truth is that data from social media is a prime commodity, and that truth holds for hackers and threat actors just as much as legitimate marketeers. 

Social media profiling, builds a composite of a person’s identity and lifestyle from the publicly available information, and is the latest trick in the cybercriminal’s armoury. 

Mining social media for clues about people and their interests is a technique widely used by governments, businesses, and now threat actors. It is part and parcel of today’s reality of interconnectedness. Just as a marketing department may employ legitimate techniques to identify audiences that will be receptive to their brand messages attackers can use the same methods to identify likely targets, too.

So what kind of information can be gleaned from social media profiling? That all depends on how much you share. If you share a detailed CV or resumé online, that’s gold dust to profilers. If you likewise share information about special events, names of family members, places you’re visiting and such like on social media, that can add up to quite a detailed composite picture of you, your lifestyle and your background, particularly if that data is harvested over an extended period of time. 

Similarly, it’s good for personal brand marketing to include a profile picture that’s a headshot, but that picture also identifies you to bad actors, and provides them with a picture they can scrape and use to impersonate you. With AI tech that can now generate entire bodies of people that don’t exist using an algorithm trained on tens of thousands of online photos, that may be more convincing than you think.

If this is a business-related profile, you’ll want most everything to be public…but don’t forget to interlink your profiles to each other. Many networks have places to include links to other networks, and you can and should use them whenever possible”

How Can Threat Actors Exploit Social Media?

Social media profiling was big news last year, when it emerged that Facebook had allowed a private company, Cambridge Analytica, to harvest data such as location, birth date, page likes and public profiles from tens of millions of users without their consent.

For criminals looking to steal either data and/or money, the very same kind of profiling can be used to craft targeted advertisements and phishing emails that can carry malware to infect the user’s machine. The techniques are identical; only the “payload” differs. 

Sites like LinkedIn encourage users to be comprehensive in the details they provide as that can help in job recruitment, but that can also lead criminals to victims under the seeming pretext of offering employment. A LinkedIn advertisement for a software developer turned out to be a front for the hacker group.

It’s not just “business” sites where you have to think about what you share. What about online gaming communities? Millions of people play and chat within  the gaming environments, and statistics suggest that only around 26% of them are teens. The rest are adults (average age: 26), employed (50%), married (36%) and have children (22%). But those percentages aren’t the point. The fact that those percentages can be gathered though, is. How much data are you giving away to online gaming providers and how secure is their handling of your data?

It’s important to remember that prior to the advent of the modern wired world, we were all reasonably careful about our personal information. We didn’t go around sharing details like our birth dates, jobs, and favourite animals with just anyone, and certainly not with just about everyone, as we do now via the internet. That was because prior to the advent of the connected world, we all implicitly understood the boundary between what was personal and what was public. Social media has broken that boundary down, but therein lies the danger. When it comes to cybersecurity, boundaries – and caution – are essential elements of defence.

Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure.

Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication so that they can steal valuable data. Businesses, of course, are a particularly worthwhile target.

Here are some common types of Phishing attacks against businesses.

  • Company Impersonation:  is one of the most common forms of phishing is where attackers impersonate your brand. This is typically done with an email connected to a domain very similar to the target company (e.g., “first.name@amazon-support”). It’s also a difficult attack for companies to look out for due to the fact that you won’t know until someone falls for it or alerts you.
  • “Spear” Phishing: This type of scheme involves using a fake company name (impersonation) but also key details about the target. Muck like in sales, a rep finds the name, position and other personalization and includes that in a pitch email. Attackers find those same tokens and use it to compel more victims into their trap. It’s an especially dangerous ploy.
  • Email Takeovers: All members of your executive and management team are vulnerable. If a phishing scammer acquires the email credentials of high-profile leadership, it’s likely they’ll target anyone they can using that very email address. Potential targets would be; colleagues, team members and even customers (if they’ve already obtained this information via hack).
  • Phone Phishing: Using Voice over Internet Protocol (VoIP) technology, scammers, again, impersonate companies. This technique also employs the other types of phishing including using personal details about targets and impersonating individuals of the company (e.g., the CEO) in order to get a higher take on the overall scam.

Unauthorised Data Collection

Unauthorized data disclosure is exactly as it sounds, private data is released to an individual who is not authorized to see it. Of course a situation like this can happen by accident, or on purpose. When data is shared maliciously, there are a few techniques that are used: pretexting, phishing, spoofing, and sniffling. 

Pretexting is when someone pretends to be someone else.

A telephone caller who pretends to be from a credit card company and tries to steal your credit card number, they do so by asking you to verify your credit card number.

Phishing is very similar to pretexting, except it is through e-mail also fits into the category of unauthorised data collection.

The “phisher” will pretend to act on behalf of a company, requesting confidential data.

Spoofing is another term for someone pretending to be someone else

If you pretend to be someone, you are spoofing that person.

Sniffling is technique used for intercepting computer communications. Sniffling requires a physical connection to the network. A physical connection is not needed with wireless networks.

Drive-by snifflers take computers with wireless connections to different areas and try to find an unprotected wireless network to connect to.

Solution: To avoid unauthorized data disclosure, be very careful of who you are interacting with. In a situation where your personal information is asked, avoid having that conversation over the phone or via e-mail. Try to go directly to the company and talk to a representative face to face. Always protect your network  with a password to avoid intruders. Also do not click on any links or download any files that do not come from a reliable source.

To learn more about Black Fog or to purchase please complete the form below and a consultant will make contact with you.

    Recent Posts