Suppose a threat actor wants to get personal data and information about an individual in a professional context. While they could do this using the individual’s loyalty card, LinkedIn is a pretty simple stop where said individual has unwittingly volunteered the information that the cybercriminal needs. A quick search online on social engineering escapades unearths tales of how threat actors use LinkedIn as part of their OSINT and social engineering campaigns without insider risk management.
A story I found most intriguing starts off with the anonymous threat actor expressing just how much he loves LinkedIn. He quickly points out that all the information he could possibly need for any “job” is on the platform. He reiterates how LinkedIn is a great spot to pick targets. Further, LinkedIn, by design, has a unique URL through which cybercriminals can quickly pick out their targets.
Using this URL, the cybercriminal can get a brief history of the target. To ensure that the campaign is as straightforward, the threat actor will look for individuals who haven’t locked down their profile. They then proceed to do a deep dive into their profile.
The Next Phase of the Campaign
Having identified the target, the cybercriminal then proceeds to dox. He excitedly explains how he then picks at the other social media accounts of the target. His favorites include Instagram, Twitter, and Facebook. The now excited hacker obsesses over the victim’s hobbies, interests, family, and other personal information. They cleverly analyze the photos on these profiles for metadata. They could also find out details about where their victim was and what they were doing.
This seasoned hacker explains how this reconnaissance phase is the most exciting. Here they can nitpick which profiles and victims to go with as he is a bit reserved about going with detail-less profiles.
He gives a real-life example of how he’s used this method to find out information about a board member at a leading consultancy firm. Using what is clearly superior coding skills, the hacker went on to create a fake website. Then, he had the board member unknowingly submit a password that they often use.
What’s shocking about this story is how simply this threat actor was able to obtain the board member’s home address. In what could best be described as creepy, he highlights how he went to that address and broke into their victim’s WiFi as it shared that same password. This became his route into the unsuspecting board member’s accounts as part of his overall doxing attempt. What’s alarming is that the anonymous account holder explains that he eventually obtained the board members banking details. He would then end up transferring money from the account, and the whole time, he remained unnoticed.
Ramping up the Campaign
The cybercriminal expresses how in his early days, he rarely ramped up the attack campaigns he launched. He felt a lot more comfortable just sticking with the doxing and finally selling the obtained information online.
However, with time, he expresses that his confidence has soared to the point where he is more comfortable reaching out to his victims. In the case of the board member, he went ahead to send connection requests on Facebook, Instagram, LinkedIn, and Twitter. He cleverly curates messages that are likely to get their victim’s attention. While there’s the risk that the victim will ignore these messages altogether, he proudly expresses that he has perfected the art of reaching out without coming off as psycho messaging the victim.
He points out that this step of the campaign requires patience and persistence. If it is successful, he would gain additional access to the victim’s profiles. This provides a fuller picture of his complete intrusion into the target organization.
After making this initial contact, the threat actor embarked on small talk with the board member with the intention of building up a rapport. He then curated a false tale of how he was part of a small private award company. The board member was then informed that they had been selected for being outstanding and that they had to attend a ceremony to collect the award.
Social engineering informs us that presented with this offer; most individuals will jump right at the opportunity. With a cheap domain, he sent the board member mail that included fake tickets, an invoice, and a request for payment details.
Overall, for this particular campaign, the threat actor aimed at getting some money from the board members. He explicitly explains that it would have been just as simple for him to use the password he’d obtained to get access to the consultancy firm’s IT ecosystem.
Learn More About Insider Risk Management
This detailed thread by this particular threat actor is a perfect example of how OSINT and social engineering are threats. While the consultancy firm, in this case, might have had strong cybersecurity policies in place, they would ultimately be compromised by an unsuspecting employee.
All threat actors need to do is research your business via your social media accounts and aggregate the publicly available information. They can then use the information to target individuals within your company through their social media profiles, their phone calls, or even real mail.
In hindsight, cybersecurity awareness training no longer suffices. Said training fails to cover threats that might have their origin outside the entity’s computer network.
That’s where insider risk management comes in. This encompasses policies, procedures, and technologies that can aid in preventing privilege misuse. Then, it reduces the impact social engineering and OSINT could have on your infrastructure. Insider risk management aims to deter personnel from becoming insider threats and ultimately reduce the risk they pose to the organization.
Zero Trust Security can stop most attacks from becoming incidents by defending identity, data, and devices. Agile IT builds Zero Trust into our migrations and implementations, reducing risk and increasing security. To find out how you can implement Zero Trust in Microsoft 365, request a free consultation.