Phishing Primer – Social Engineering (pt. 2)

by
social engineering is greatly helped by the information gathered by OSINT

I promise you this is a primer on Phishing but I still have some things to add about social engineering and how you and your team make things easier for the threat actors.

Threat actors often make use of information that is publicly available to target their phishing attacks to have the maximum chance of success. Remember the last article mentioning the “Dire Straits Defence” – we see an increase of phishing emails to law firms we look after on Fridays – when house sales are being completed and there is a chance of stealing large sums of money.

Social Engineering and OSINT

OSINT = Open Source Intelligence. That is that information that a threat actor can gather about you and your organisation, from open source resources – there is no need to hack you if you leave the information lying around.

When I was studying, the weeks we covered OSINT were some of the most fun. One tool we used allowed me to work out why Octagon Technology had been receiving email enquiries about buying some serious plant and machinery. I found out someone in the US had included our email address on their online contact form – I got that fixed. We also found out some interesting stuff about the lecturers!

The ongoing conflict in Ukraine has highlighted the usefulness of publicly available information in revealing militarily useful data, one side or the other would sooner keep secret. (O’Brien. 2022)

Q. Now where exactly is that target?

A. Google Maps

OSINT does not have to be technically difficult.

Threat actors can gather a lot of information about your operation by simply posing as a customer and sending you an email.

I include OSINT in several of my training courses as it is important that organisations understand what they could be giving away in their post on social media. In addition, Dymo taping the IP address and other secret information onto the firewall device on open display in the reception is more common than you would think. I have a very effective scenario I use, where the CEO goes on holiday, and a business email scam is run on the company because of a post her children made on Instagram.

Simple posts on social media about a new member of staff, can lead to them being the target of a social engineering attack. Awareness training for all members of your team – including any third-party marketing resources you use can help with these issues.

OSINT – In House

We practice what we preach.

I have written a detailed policy for our support team, to make them aware of the consequences of oversharing, particularly on new projects where there may be one-off contractors involved.

Phishing Primer – Social Engineering (pt. 2) Cyber Awake

What useful social engineering information leaks out of your organisation?

really low-tech OSINT

What gets posted to social media by your team?

What is written on those post-it notes, that are in full sight of anyone who visits your offices?

And do not get me started on the person in the coffee shop, who when getting a new password for their Microsoft account, not only double-checked their own email address, carefully spelling it out, but also diligently repeated the password using phonetics so there were no mistakes. I was sitting with my back to them at another table when this happened. So, with the number of people working in coffee shops, McDonalds, hotel lounges, motorway service stations, etc, it might be a good return on the threat actor’s time to hang about there, carrying out their other attacks or just drinking coffee, to see what they can get.

Data Mining

Then there are data miners, integrator apps and now AI, that combine all these various disjointed bits of information about you, your team and your organisation, gathered from a variety of OSINT sources, and put it all together to give the answer to; “What phishing attack will work here?”.

OSINT and Your Organisation

All of the above and more are real world examples that we have had to deal with. What information are you leaving out there for the threat actors to use?

Next…

At last, phishing emails…


Clive Catton MSc (Cyber Security) – by-line and other articles

References

O’Brien, A. (2022). Open source intelligence may be changing old-School War. Wired. https://www.wired.com/story/open-source-intelligence-war-russia-ukraine/

Further Reading

Why I do not like “Meet the Team” web pages – CyberAwake

The Basics of Cyber Security – A quick look at OSINT and Redacting (cyberawake.co.uk)

Featured photo by Tracy Le Blanc

In text photo by fauxels

Contact us for consultation

Wake up to cyber threats..

Phishing Primer – Social Engineering (pt. 2) Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close