Why would anyone pay thousands of dollars for this publicly available info?
On the face of it, it seems crazy to pay big bucks for data that’s publicly available. But “publicly available” doesn’t necessarily mean easily available: Gathering large quantities of data on individuals from social media sites can take substantial effort and especially time.
Cybernews reported that personal information scraped from more than 500 million LinkedIn profiles was being offered for sale on a dark web hacker forum. The seller specified a “4 digit $$$$ minimum price.” The data being offered includes full names, workplaces, email addresses, phone numbers, professional titles, other work-related data, and more. Two million records were leaked as a “sample.”
LinkedIn was NOT hacked; the seller of this information simply scraped publicly available information. Collecting that much data, however, is not a trivial task.
Publicly Available Information and Spear Phishing
Most phishing attacks entail hackers fraudulently attempting to obtain sensitive information such as credit card numbers and, log in credentials, by utilizing bulk email spam, sent out by the thousands. This is far and away the most common type of cyberattack – the FBI records over twice as many instances of phishing as any other computer crime.
Spear phishing takes the attack emails to another level by personalizing the phony email, typically using publicly available information about the recipient. There are many variations of spear phishing. In business email compromise or CEO fraud, email may be used as a device for plain, old-fashioned fraud, rather than for installing of malware. In one famous case, fraudsters sent an email to the CFO of Leoni AG, a German manufacturer of electrical cables, that appeared to come from the CEO. The email instructed the CFO to wire transfer $40 million to a particular account, and the CFO complied. The cyberthieves didn’t need to steal logon credentials: they simply had to convince the CFO that it was the CEO who was asking him to send money.
The right names, titles, and email addresses/formats for these kinds of attacks can all be derived from public sources. “Email spoofing,” which makes an email look like it comes from one account when it actually comes from a different one, is simple for hackers. And plainly put, it is simply more efficient for cyberattackers to pay for the contact details of good targets than to waste their valuable phishing time on gathering info.
Advanced Persistent Threats and Spear Phishing
Mounting highly customized spear phishing attacks takes a great deal of effort and time, so cybercriminals who use them are seeking big payouts. The attackers are often highly sophisticated – cyber gangs, nation states, or state-sponsored groups – who leverage spear phishing to install Advanced Persistent Threats (APTs). APT attacks may unfold gradually, over a long period time. Once the attacker works their way into the targeted network, they might remain very quiet, carefully collecting information and deploying additional malware to help achieve their goals, which may include the theft of personal data, financial information, or trade or government secrets.
Spear phishing emails may also lead recipients to open a file or visit a website containing a trojan, which instantly penetrates the victim’s system, providing an entry point for further malicious activity by the attacker.
Protecting Against Spear Phishing
The first line of defense against spear phishing is educating users: It’s always good practice to be wary of opening emails from people you don’t know or visiting websites without ascertaining that they’re legit.
Even if an email seems to come from someone a user knows, it’s important for them to be alert to behavior, writing or requests that seem unusual. For instance, in the Leoni case, one wonders why the CFO did not question a request to transfer $40M to an unknown account, given that he was unaware of any activity that would call for such a large transfer.
Establishing verification procedures, both internally and with business banks, that require a phone call or personal meeting before a large wire transfer can be done is likewise advised.
User education and verification procedures can likely thwart some spear phishing attacks. But depending on users to act as your organization’s firewall of last resort simply won’t work. In one simulation, 24% of users who had been through security training still clicked on a sufficiently clever phishing emails. Blocklisting, which uses filters to prevent users from accessing known dangerous websites, is likewise important – but just to a point. Cybercriminals use automated procedures to create malware-bearing websites at millions of URLs, then abandon them to still newer sites before blocklists manage to notice they’re there.
Zero Trust Steps in Where Education and Blocklisting Fail
Unlike education-dependent approaches, which depend on users to protect an organization, Zero Trust approaches to networking security regard every user, email received, and website visited as a possible threat. Zero Trust means relying on a range of protective measures that ensure that no person, entity, or resource is trusted to be safe, unless they have been verified to be so – and even then, only contact that is strictly necessary is allowed.
In cases where spear phishing emails, for example, contain links to malicious websites, Remote Browser Isolation (RBI) keeps malware from reaching endpoints by opening links in a remote container in the cloud, and streaming only safe rendering data to the endpoint. Even if a user is fooled, they, their device, and the network it connects to cannot be impacted by malware. For additional phishing protection, websites launched from emails can be rendered in read-only mode to prevent users from entering credentials. Similarly, microsegmenting network resources and leveraging identity and access management (IAM) solutions to limit what even authorized users can access can limit damage if a network is penetrated via a spear phishing or other attack.