Social Engineering: An Expanding Frontier in Online Attacks

By Eric Milam, Martin Bos ·

Social engineering is an expanding frontier for attacking public and private entities and their employees. With this approach, a malicious attacker gathers details about individuals working within an organization in hopes of using that information to gain control of credentials or underlying systems used by the employee base.

There are many ways an attacker can use publicly available information on the Internet to collect confidential data about individuals and their employers and use it against them. Here are some specifics examples:

  • With a simple Google search, attackers can discover the custom layout of facility access badges for an organization. They can use the images to create exact badge replicas that enable them to gain physical access to an organization’s facilities.
  • An attacker can use LinkedIn to identify an employee within an organization and gather basic personal details such as name, department, and date of birth. Armed with this information, an attacker can easily impersonate an employee and call a corporate help desk to request a password change, gaining access to a corporate network or an external website such as an employee management portal. If the compromised account belongs to a high-ranking employee, the attacker may be able to use the portal to view birthdays, social security numbers, payroll details, and other personal information for all individuals under the employee’s management. This data enables the attacker to launch further malicious campaigns such as identify theft and direct deposit changes to bank accounts held by the organization and its employees.
  • With Spokeo.com an attacker can uncover the address, household income, and names of family members of any employee within an organization. From there, they can use the city’s official website to look up the names and addresses of an employee’s neighbors via publicly accessible data such as tax records. The attacker can use the gleaned information in a conversation to show an unknowing victim that they are familiar with their neighbors. Additionally, the attacker can monitor the community looking for opportunities to impersonate utility workers or others who frequent the area.  Ultimately, this personal information can be used to establish trust with the victim.
Although many pieces of information about individuals and their employers is in the public domain, organizations should aim to limit the amount of details that can be gained about a business’ interworking. Companies can limit exposure through employee awareness education. Here are a few considerations for some of the most commonly used search and social tools that attackers use:
  • Search Engines– These are the most difficult to control because the employee may not directly supply the information. Employees should run searches on their names to ascertain their Internet footprint and remove information they don’t need to share. Also, before an employee provides any personal details (digital or physical) to a website they should understand how it will be used and look for an opt-out policy. If one is not available, they must decide if the information is safe to share with the world.
  • Social Media Sites– The difficulty with social media websites is that individuals are responsible for securing their own information. When signing up for a service such as Facebook, Twitter or LinkedIn, employees should review the security policy to understand how their information will be shared, used, and who will have access to it. Once an employee establishes an account, it’s important that they immediately look for security settings to limit the information that is available. If an individual feels the security settings are inadequate, they should not use the service.
Also, employees should ask friends and family that post pictures not to include tags with names, especially children’s. Ultimately, individuals must ask themselves if they truly need to share certain information before clicking send or posting it.
  • People Search Engines– Websites and services such as Spokeo.com and Beenverified.com are almost impossible to secure, as names and address tend to be public record. Employees should contact the individual sites to see if opt-out policies exist.
  • Single Sign-On Across Multiple Sites– Employees should be wary of accessing multiple websites through a single sign-on, as this allows attackers to crack a single password to access all linked accounts. Sites owned by Google such as YouTube, Gmail, and Blogger allow for this automatically, so employees should opt out of using this feature whenever possible.
The above are just a few suggestions that organizations and their employees should keep in mind when sharing information on the Internet. Since no one can know if and when an attacker will use social engineering to gain access to confidential data, it’s critical to understand where information is publicly available and limit it appropriately.