FREEDOM AND SAFETY
Beginning with the Yahoo! breach back in September – where personal information was stolen and presumably published online and/or sold to be used later to attack other online accounts – I was curious to find research that shows the top sources that criminals use to gather business and personal information (both data and metadata) which they can then use for nefarious purposes. As part of this analysis, I wanted to identify both public sites and dark web sites.
Having publically reached out to a variety of folks throughout the industry, I pulled together the material contained in these slides from the following organizations:
“There has been an explosion in the number of entities offering legitimate lookup services online over the past few years,” says Tyler. “These lookup services range from Social Security number (SSN) search products to address and name verification services – all of which are used by legitimate and illegitimate users to identify and locate individuals both online and off.”
In this slide show, we’ll look at public sources for this valuable information. In a follow-up slide show, we’ll dig into dark web sources.
Adam Meyer, chief security officer of SurfWatch Labs, explains that while there are plenty of sites that criminals can use to can show detailed information about domains, IP addresses and effective attack vectors to try, the best way for someone to find information about a particular target is by getting it directly from the source: you.
“Most corporate or company websites are a treasure trove of information attackers can use to target a specific organization,” says Meyer. “Names of VIPs, email addresses of various people in the company, photographs, Linkedin profile links....the list goes on. And that's the easy, obvious stuff.”
Meyer reminds us that, if your company is hosting any PDFs, Word documents, Excel spreadsheets, and PowerPoint presentations for people to download, it’s important to remove potential metadata from those documents that could potentially contain additional names, email addresses, usernames, or software versions of the program used to create it. All of that information can be leveraged for attacks, such as spearphishing.
“Some pretty simple Google searches (just type site:yourpublicsite.com filetype:pdf into the Google search box) can reveal much more information that you may not have been aware you were leaking,” Meyer adds.
“The WHOIS service can be used to impersonate and create personas similar to the users being targeted,” says James Pleger, head of research at RiskIQ. “Finding additional websites based on common ownership gives hackers new sources of information through which they can compromise an individual or corporation. They can even impersonate those domains to fool the customers.”
Pleger suggests that, to mitigate this risk, corporations need to manage all their web assets centrally, including domain providers that provide registrations specially for corporations.
“Have some sort of monitoring program to monitor domains that are not owned by the corporation. For example, rogue assets for a temporary marketing campaign may not go through IT, so nobody knows about it. Those rogue assets could get hijacked to serve malware and steal credentials,” adds Pleger.
“There are products [that] can be found through a simple Google search by typing the following: ‘SSN Search,’ ‘Person Trace,’ or ‘Email Lookup.’ Most, if not all, are registered as legitimate organizations and have legal commercial uses,” says Adam Tyler, chief innovation officer at CSID. “Many bad guys utilize these services for illegitimate and nefarious purposes.”
Legitimate or not, the information found through these searches can represent the beginning of the end.
“The information found through web-based searches can help hackers assess how valuable a specific target is and whether or not it’s worth their time to go after them,” says James Pleger, head of research at RiskIQ. “Because they can find family history, tax records, criminal records, and potentially even a phone number, this source also gives them insight into how each person might be breached; is the best path through social or through their business partners?”
It goes without saying, the more information exposed on the Internet, the more things the search engines can find and reveal.
“Being cognizant of what types of information you put out is critical,” adds Pleger. “Saying that you’re going on vacation is not a big deal, but when that information is combined with all the other data that can be found through a simple search, the pieces become valuable together.”
In addition, “people routinely share useful and important personal information on social media, or via government and other query-able databases,” says Adam Tyler, chief innovation officer at CSID.
“If you’re doing a social engineering attack, you have to be believable, and in order to do this you have to be very knowledgeable about the subject so you can appear to be the target you’re impersonating,” says James Pleger, head of research at RiskIQ.
“This information can be used to socially engineer a wide range of users into providing more data, or answering additional security questions on individuals they have already acquired a subset of data for,” adds Tyler – or even changing passwords or altering account information.
While not all of the information found on these sites can be controlled by the user, they still have a responsibility to only share what is necessary with these sites.
“Individuals need to be aware of what information is out there, how they share this data, and if the details provided can be utilized to access or compromise any of their physical or digital accounts,” adds Tyler. “Minimize posting of personal information to public locations and be careful who you connect and share data with on social networks and other sharing platforms. If possible, register ex-directory for government services to minimize your exposure to public database searches.”
Organizations must also recognize the risk these records bring to their business. For example, your company’s high-profile executives could be targeted for those types of attacks…and this might be a precursor to an attempt to compromise the company itself.
“Be aware that the data is out there and what it means,” adds Pleger. “To mitigate the risk, you can set things up in a trust or owned by a different company. Some states have options to remove data from public records for precisely this reason.”
According to CSID, social networks offer malicious users a huge amount of data and insight, with the most common information gathered from these public web sources including:
“Cybercriminals compile lists of who their target(s) are related to, who they hang out with, how they interact with their family, friends, and co-workers,” says James Pleger, head of research at RiskIQ. “Hackers don’t want to waste their time impersonating someone their target never has interactions with.”
“Many users still post and provide personal information on their social networks, allowing nefarious actors to identify, extract, and utilize the information where possible,” says Adam Tyler, chief innovation officer at CSID. “Even seemingly innocuous information, like your high school mascot or pet’s name, can put you at risk and may be the final key to unlock your most sensitive accounts.”
“Corporations need to pay attention to their org structure; who is coming and going, especially during mass layoffs,” adds Pleger. “Cybercriminals can find friends of employees who have left who may be disgruntled and are easy targets because they aren’t thinking logically. Combat this risk by outlining clear policies for social media sharing, proactively look at what your employees are sharing, and build risk profiles internally for ongoing social media monitoring.”
“These sources are very similar to public records in terms of value to hackers,” says James Pleger, head of research at RiskIQ.
Information on genealogy websites may also be used for mine for potential gold such as maiden names or even passwords, for those individuals who use that data for creating passwords.
“It's the Google for the Internet of Things,” says Meyer.
This simple idea has grown from a basic list of IP addresses and ports to maps showing where devices are located, and now screenshots taken from these devices (which include webcams, unsecured servers and workstations).
“The original focus for Matherly's scans was to highlight the growing problem of internet-connected things (thermostats, refrigerators, etc.), but his research also uncovered industrial control systems, wide-open computer systems, unsecured security cameras, and more,” says Meyer.
SurfWatch notes that the site underscores the inherent risk of putting IoT devices online and that careful thought needs to be applied when using new technologies. Unfortunately, once a device is online, there is little that can be done to hide it from Shodan.
“If it's online, Shodan will find it, says Meyer. “The lesson to be learned from this site, without a doubt, is secure your systems and protect your data before it goes online.”
“The power behind VirusTotal is how it adds and saves the metadata and behaviors of the files it analyzes,” says Meyer. “You can use the domain search to look at the IP history of the domain and get the current WHOIS for the domain, but VirusTotal will also show you a list of every time it detected something malicious on the site, as well as list all of the samples that attempted to communicate with the searched-for domain.”
Perhaps even more troubling, explains Meyer, is that attackers are also using the service, uploading new versions of their malware to test against the 56 (at last count) antivirus vendors to see if and how their new variant will be detected.
“The timeframe before detection is short so these malicious files must either be used fairly quickly, or the criminals could just be testing a new obfuscating method to hide already known malware from being detected to be used in a future campaign,” adds Meyer.