BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Beware scammers gathering data via fake social net IDs

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 14 Nov 2013 00:17:00 -0700
http://www.techhive.com/article/2062310/beware-scammers-gathering-data-via-fake-social-net-ids.html

Spear phishing is one of the most effective ways to break into a corporate
network, and recent studies show that employees can be easily tricked on
social media to provide the information needed to launch attacks.

A phishing attack is only as good as the information hackers are able to
gather on the intended victim, who is less likely to click on a malicious
link or attachment in an email that does appear to come from a trusted
sender. As a result, criminals often research their targets on the Web.

For example, Websense Security Labs recently found a fake LinkedIn profile
gathering information that could be used in future attacks.

The profile summary pretends to be that of "Jessica Reinsch," a made-up
employee of a real dating Web site that connects young women with older,
wealthy men. The site is located in Switzerland.

While Websense did not find any malicious code on the site, the vendor did
find other related domains hosting "suspicious code." In addition, the IPs
used to host the site are in the same autonomous system number (ASN) as
multiple exploit kit command and control URLs, including those for RedKit
and Neutrino, according to Websense.

The bogus profile had more than 400 connections with legitimate LinkedIn
members, giving whoever was behind the account access to people's current
employer, job titles, and connections on the network, which has more than
250 million members.

Jeff Debrosse, director of security research at Websense, said such
information would be used to build a social graph of prominent individuals
that could be used in spear-phishing attacks.

"That's worth a lot of money to the buyers of that information," Debrosse
told CSOonline.

Businesses warned

While reconnaissance on potential victims grows more sophisticated,
corporations appear to underestimate the threat. Almost 60 percent of 300
IT executives, administrators and professionals in U.S. organizations rated
phishing as a "minimal" impact threat, according to an unscientific survey
by ThreatSim.

While rating phishing as a low-level threat, more than one in four of the
respondents reported phishing attacks that led to a "material breach within
the last year." ThreatSim defined "material" as some form of malware
infection, unauthorized access, and stolen data.

During a presentation at the RSA Europe security conference in Amsterdam
last week, a cyberdefense specialist described an experiment that showed
the effectiveness of using fake profiles on LinkedIn and Facebook to launch
an attack.

Aamir Lakhani with IT service provider World Wide Technology described how
the fake profile of an attractive female named Emily Williams was used to
eventually get employees of an unnamed U.S. government agency to click on a
link that could easily have been used to launch malware.

The bogus profile claimed Williams was a new hire at the agency with ten
years experience and a 28-year-old graduate of the Massachusetts Institute
of Technology. The researchers set up information about the woman on other
Web sites to make the profile seem more credible.

Within 15 hours of launching the profile, Williams had 60 Facebook and 55
LinkedIn connections with agency employees and contractors. After 24 hours,
she had three job offers from other companies.

The experiment pointed to the need for continuous training in organizations
to reduce the chance of employees becoming victims of phishers.

"In the military it's called situational awareness," Lakhani told IDG News
Service. "We need to develop situational awareness for this type of attack."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: