Sharing your business destinations to the world on LinkedIn? Beware
26th November 2021
Social engineering is an increasingly important methodology used by fraud actors of all types to gather information and target government agencies, SMBs and enterprises – in addition to consumers. In this post, I’d like to share my strong point of view on a topic that is relevant to most of us as business professionals: sharing (over-sharing, I should say) personal information on LinkedIn, with a focus on out-of-town business trips.
So here is a typical and increasingly common scenario. You are on a business trip or planning a business trip out of town to San Francisco, London or Seoul. You make it known to the world on LinkedIn or you post great pictures of your out-of-town seminar, workshop, roadshow or a great selfie by the Sydney Opera House, or similar. Sounds familiar ?
Sounds pretty harmless, right?
Well, it is NOT. Information that appears to be benign in isolation could, if correlated with other information, have a significant impact.
As shared in previous posts here at Secplicity, malicious actors are online and watching all of us. For some of them, it is their full time “job.” They identify suitable targets, research these targets’ social and professional networks, and then generate messages (e.g. phishing, or spear phishing) that are plausible within their set of circumstances. This is why when you communicate your business trips and destinations, you are giving away precious information. Fraud actors’ eyes (and increasingly their algorithms too) love it.
Who is at risk and how
Cyber Reconnaissance (target selection & spying – online but also physically at the site)and spear phishing attacks do require a significant amount of skilled labor and time.
However, with Artificial Intelligence capabilities at their disposal, fraud actors can now spy and target at scale. Concretely, this means:-
there are more fraud actors thanks to automation and algorithms – wannabe cyber criminals now have the capability to defraud and steal
mass spear phishing becomes a possibility – it would have been unthinkable until recently
the attacker does not have to speak the same language as their target, therefore the malicious actor can be anywhere on the planet, in particular in those places where the rule of the law barely exists
It’s not only the CEOs and top executives who are the main targets any longer, it’s you and me and all of us. Why? Because we are great entry points into our employers’ network, confidential or regulated data and financial assets.
And it is not only the eyes of cyber criminals watching you – the algorithms are watching you,too.
What are the risks and why are your business destinations of such interest to fraud actors ?
Plain and simple good old style burglary – you’re not home! You are therefore putting your home, your family or both at risk
Business Email Compromise (BEC) for wire transfers into fraud actors’ bank accounts. More on this below
Building a detailed profile of you: making it easier to guess your passwords, and making cyber attacks credible – see typical scenario below
Typical scenario #1
You are on a business trip at a conference in Russia, and you are making it known on social media/LinkedIn. The attacker pretends to be you. An email goes into your Finance Director with a high sense of urgency, followed up by a phone call: “I am stuck in Russia and I need you to wire 20k immediately to this bank account.”The fraud actor is using a psychological lever, a spoofed version of your email address, a high sense of urgency, and a request for action. Voila!
Their scam emailsappear to be legitimate. The situation is very credible – you are indeed on a business trip in Russia.
What is the Finance Director/Accountant likely to do? This happens all the time. SMB and SME’s get defrauded 15k here, 50k there, sometimes 100k or more.
Typical scenario #2
When you over-share on LinkedIn, a typical request to your employer’s treasury manager/ accounts payable is to make an immediate wire transfer to a so-called supplier. The request is made by email, possibly followed up with a phone call with a high urgency level. In the shipping industry, we know of attacks that go like this:“if you don’t wire 50k, then your ship will be stuck in the port of Amsterdam because the suppliers will not be able to unload its cargo” – when your firm manages lots of ships travelling the world, this sort of hit is credible.
Finding that balance between sharing (and over-sharing) and becoming completely paranoid about everything. Common sense and a healthy level of skepticism should always prevail.
Otherwise you put yourself, your home, possibly your family, and your employer’s data and financial assets at risk.
My suggested good practices
Don’t advertise your whereabouts to the world live or ahead of your business trip on LinkedIn. Delay posting as much as possible.
If you are going to be travelling out of town and want to set up meetings: PM the folks you’d like to meet, you don’t need to announce your trip in the open. How about using the good old phone again to reconnect with contacts?
Divide and Conquer: ask your in-country co-workers or business partners to post the great conference/seminar/roadshow pictures –you simply like, comment and share.
Are you a selfie addict? Post the pictures of you in front of the Paris Louvre whilst on your business trip at your own risk. Cyber criminals are watching you and your selfies. Your selfies say a lot about what you like – useful information for the purpose of password hacking, identity theft and spear phishing attacks.
Finally, we all need to contribute to raise awareness and educate our colleagues, business partners, friends, family members. Let us spread the good word. This is what this blog post ultimately is all about.
Do You have other good practices of your own ? I’d love to hear them and any other thoughts or comments.
CEO Fraud: are you at risk?
5th November 2021
CEO Fraud, also known as Business Email Compromise (BEC), is a sophisticated scam targeting businesses of all sizes leveraging social engineering. The ultimate objective is to get unauthorized transfers of funds to the fraud actors’ bank accounts. It’s all about hard cash and top executives being the targets of such scams.
There are 3 main attack methods:
Phishing
Spear Phishing
Executive “Whaling”
Spear phishing, and executive whaling in particular, are used to get to the big trophy. Malicious actors will spend a significant amount of time and resources gathering information to pick the right target(s) and to spy. Spying is essentially gathering a large amount of relevant information about a person (or several persons) of interest from multiple sources (corporate homepage, social media profiles, search engines, phone calls to extract further information, possibly going onsite to take photos, etc.).
The objective is to better understand the target’s work situation, co-workers, destinations for business trips, family members, hobbies, and more to discover vulnerabilities and to make the attack (the “hit”) credible and successful.
Thorough preparation is crucial, because usually a CEO fraud-type attack has only one chance of success. The hit must be successful the very first time. And fraud actors have to be prepared for unforeseen situations.
Who are the high-risk target personas?
Finance managers
CEO / top executives
Those corporate staff & executives have authority and access to funds. There are others of course, in particular HR Managers, who have access to valuable information about employees (social security numbers, addresses, phones numbers, salary details, emergency contacts, possibly healthcare and tax information, etc.).
A successful single BEC campaign can be very lucrative and yield USD150,000 on average, per various Industry analysts. See recent data from the FBI: https://www.ic3.gov/media/2018/180712.aspx.
A simple email with a “spoofed” email address from a member of the legal team and a subject line with the threat of a lawsuit is very likely to make even a CEO click any link.
Bad actors craft “spoofed” emails to look like a valid email from a familiar organization. A spoofed email will have altered properties, which disguise who the real sender is (e.g., FROM name/address, REPLY-TO name/address, etc).
In IT security in general, and in this type of fraud in particular, the 3 foundational pillars to address cyber threats including CEO fraud are:
People
Processes
Tools & Technology
It is critical for businesses to invest in and roll out IT security awareness training to turn staff into “human firewalls” – all of us, whether we work for small businesses, larger enterprises or governments must be able to spot a phishing email a mile away and be aware of basic IT security concepts & hygiene. We are the first (and critical) line of defense.
Here is a good resource about what phishing and email scams can look like. I encourage you to take a look and to share and like on social media, and spread the word. We can all play a role in building awareness and educating our co-workers, family members and friends.
Original link https://www.secplicity.org/2018/11/07/ceo-fraud-are-you-at-risk/
202 Million Resumes Leaked
12th October 2021
One of the largest data breaches yet is not from a company in the US, and GDPR doesn’t apply since they are outside the European Union. On December 28 last year, Bob Diachenko from Hackern.io found 202,730,434 private resumes from Chinese citizens on a database without any authentication protecting it.
This database ran on a MongoDB instance hosted on Amazon AWS. The breach revealed everything you would put on a resume and some items you wouldn’t normally see. It included mobile phone numbers, email addresses, marriage status, children, politics, heights, weights, driver licenses, literacy levels, and salary expectations.
The structure of the data in the database had the same structure as a web scraping script found on Github later, which was removed shortly after discovery. Looking at other scrips by the same user, the user writes code in Chinese further indicating a user in China targeted Chinese residence. The script appeared to target Chinese classifieds like bj.58.com. According to Diachenko many of the resumes in the leaked database have marks on them indicating they are private. bj.58.com denied any breach after performing their own internal investigation. So, the actual source of the breach is still unknown.
While investigating, Diachenko found “a dozen” IP addresses had already accessed the database. Even accounting for the original creator of the database, the two server engines Diachenko used to identify the database and Diachenko himself, that still leaves around eight IP addresses unaccounted for. Any one of these could have downloaded the database or at least a portion of it. While we are no longer able to access this data now, we may see it elsewhere in the future.
As more data became available and presented by the researcher over the last week, the original sources were quickly taken down. The original database no longer responds, and we can no longer access the scraping script that updates the server. This indicates the database creator must be following the story closely.
This database was likely setup recently. Diachenko found this leak when two external searches reported this database to him the same day. These searches provide reports to him at regular intervals. Previously the search engines didn’t see this database. The database admin likely recently created this database or recently changed its authentication settings, leaving it open. We see Amazon buckets, MongoDB and other databases left open far too often. Database admins must lock down any database before the database has data else someone may find it and steal the data within hours of it being left open.
For more information on this see the original post here.
Google to bring Stadia to Android TVs
17th September 2021
Android TV is Google's smart TV software. TVs running the software have built in Google Cast, Google Assistant voice control, and access to apps, movies, and music via the Google Play store.
Currently, you can find Android TV on models from Sony, Sharp, Philips, and Hisense, or you an add Android TV to your existing box with an Nvidia Shield. However, Google itself has been very quiet when it comes to Android TV devices, not releasing any supporting hardware since it discontinued the Nexus Player in 2016.
With a big hardware event right around the corner for Google, and all the recent strides the company has made in the smart home, a Google-powered TV does make a lot of sense, after all the TV is the largest smart display in a home. Watch this space.
Latest News
Sharing your business destinations to the world on LinkedIn? Beware
26th November 2021
Social engineering is an increasingly important methodology used by fr ... More »
CEO Fraud: are you at risk?
5th November 2021
CEO Fraud, also known as Business Email Compromise (BEC), is a sophist ... More »
202 Million Resumes Leaked
12th October 2021
One of the largest data breaches yet is not from a company in the US, ... More »