Psst…hey, buddy. Over here. Yeah, that’s it. Step into the shadows. Wanna buy a Rolex? Real cheap. No? Well how about the contact information for top executives? I’ve got them all. You want the chairman of Coca-Cola? Got it. Audi, Ralph Lauren, Bloomberg, Porsche…you name it!
And so it begins. Let’s face it: information is the commodity that makes the world spin today, and there seems to be no end to what you can purchase – for the right price, of course. Security firm Webroot reported in a blog post earlier this month that its discovered an underground ad offering a Microsoft Access file which exposes the information of a large number of executives, many of them coming from Forbes 100 companies. Who knew there was a black market for this stuff? It makes sense, of course, that there is, but when life starts imitating Hollywood, it seems that the Four Horsemen can’t be too far away.
“The inventory”, writes Webroot’s Dancho Danchev, “consists of 508 contacts of foreign companies based in Russia, and 380 contacts belonging to other companies such as Baltika, Mercedez-Benz Russia, Pernod Ricard Rouss, GM, LVMH, Credit Suisse, Gazprom Export”.
The list is a veritable who’s who of corporate glut and opulence, and the perfect gift for the aspiring young hacker. Toss in a license for Blackhole 2.0 and you’ve got yourself a recipe for mayhem.
The data itself is a mixture, in terms of its quality. Webroot discovered real information that appears to have been pulled from a database, ostensibly a corporate database; data which arose from fraudulent directory listing requests to companies, that is, fake requests to companies about inclusion in fraudulent business directories result in companies opting in and sending their information; harvested data, which is nothing more than grabbing what’s publicly available; and scanned data, basically scanned business cards. With the exception of the first category – compromised databases – there’s not much here in terms of quality, but the first category more than makes up for this and represents a valid threat to companies and a real opportunity for hackers.
In fact, the blog post highlights the trend that we’ve been seeing over the past few years, of spam shifting from shotgun blast mass mailer campaigns to advanced persistent threats (APTs), which are most notably focused on governments and military and human rights organizations. Indeed, there’s been a real industry built out of attacks based on performing real research about targets and personalizing the campaign to ensure the highest possible chances for success.
“These campaigns” Danchev writes, “spread primarily over email, are very well researched, and [the] basic marketing principles for increasing click-through rates are taken into consideration…[there are] several popular methods cybercriminals use in order to automatically obtain valid and versatile sets of personal information, to be later on used in social engineering driven campaigns.”
He also predicts that localization in spam and malware campaigns – the practice of crafting messages specifically for the end user using people who natively speak the language and therefore can customize the message according to local conventions and idioms – is the next big threat that will have a “widespread effect internationally.”
If you mess with the gladiator, you get the spear
Spear phishing has become far scarier over the past several years. The level of detail and focus on information harvesting has become the mantra by which hackers and spear phishers hang their hats. Simply put, if you can gain enough information about a person, it’s far easier to trick them into clicking, divulging their information, opening their door to you. That hackers have become this smart – this sophisticated – is a disturbing prospect, to say the least, and makes one wish for the good old days when they were so mind-numbingly stupid in their attacks that only the lowest common denominator of humankind could possibly fall for their schemes.
Now, however, we live in a brave new world where even the most innocent of email messages or social media requests could spell disaster. An example is the Facebook friending scheme, where valid Facebook friend requests are anything but valid. It’s seemingly harmless to confirm a person whose name you can’t recall, but maybe they’re a friend of a friend, that type of thing. by friending these ‘people’, you’re effectively giving them access to whatever personal information resides on your Facebook page, and you’re giving them access to every Facebook friend you have.
The message here? Guard your information – your corporate information, your personal information, everything – as if it was a helpless child.
That’s a pretty good analogy.