Info of Forbes 100 Executives Exposed by Phishing Black Market

Americans-Will-Need-“Black-Markets”-To-SurvivePsst…hey, buddy. Over here. Yeah, that’s it. Step into the shadows. Wanna buy a Rolex? Real cheap. No? Well how about the contact information for top executives? I’ve got them all. You want the chairman of Coca-Cola? Got it. Audi, Ralph Lauren, Bloomberg, Porsche…you name it!

And so it begins. Let’s face it: information is the commodity that makes the world spin today, and there seems to be no end to what you can purchase – for the right price, of course. Security firm Webroot reported in a blog post earlier this month that its discovered an underground ad offering a Microsoft Access file which exposes the information of a large number of executives, many of them coming from Forbes 100 companies. Who knew there was a black market for this stuff? It makes sense, of course, that there is, but when life starts imitating Hollywood, it seems that the Four Horsemen can’t be too far away.

“The inventory”, writes Webroot’s Dancho Danchev, “consists of 508 contacts of foreign companies based in Russia, and 380 contacts belonging to other companies such as Baltika, Mercedez-Benz Russia, Pernod Ricard Rouss, GM, LVMH, Credit Suisse, Gazprom Export”.

The list is a veritable who’s who of corporate glut and opulence, and the perfect gift for the aspiring young hacker. Toss in a license for Blackhole 2.0 and you’ve got yourself a recipe for mayhem.

The data itself is a mixture, in terms of its quality. Webroot discovered real information that appears to have been pulled from a database, ostensibly a corporate database; data which arose from fraudulent directory listing requests to companies, that is, fake requests to companies about inclusion in fraudulent business directories result in companies opting in and sending their information; harvested data, which is nothing more than grabbing what’s publicly available; and scanned data, basically scanned business cards. With the exception of the first category – compromised databases – there’s not much here in terms of quality, but the first category more than makes up for this and represents a valid threat to companies and a real opportunity for hackers.

In fact, the blog post highlights the trend that we’ve been seeing over the past few years, of spam shifting from shotgun blast mass mailer campaigns to advanced persistent threats (APTs), which are most notably focused on governments and military and human rights organizations. Indeed, there’s been a real industry built out of attacks based on performing real research about targets and personalizing the campaign to ensure the highest possible chances for success.

“These campaigns” Danchev writes, “spread primarily over email, are very well researched, and [the] basic marketing principles for increasing click-through rates are taken into consideration…[there are] several popular methods cybercriminals use in order to automatically obtain valid and versatile sets of personal information, to be later on used in social engineering driven campaigns.”

He also predicts that localization in spam and malware campaigns – the practice of crafting messages specifically for the end user using people who natively speak the language and therefore can customize the message according to local conventions and idioms – is the next big threat that will have a “widespread effect internationally.”

If you mess with the gladiator, you get the spear

Spear phishing has become far scarier over the past several years. The level of detail and focus on information harvesting has become the mantra by which hackers and spear phishers hang their hats. Simply put, if you can gain enough information about a person, it’s far easier to trick them into clicking, divulging their information, opening their door to you. That hackers have become this smart – this sophisticated – is a disturbing prospect, to say the least, and makes one wish for the good old days when they were so mind-numbingly stupid in their attacks that only the lowest common denominator of humankind could possibly fall for their schemes.

Now, however, we live in a brave new world where even the most innocent of email messages or social media requests could spell disaster. An example is the Facebook friending scheme, where valid Facebook friend requests are anything but valid. It’s seemingly harmless to confirm a person whose name you can’t recall, but maybe they’re a friend of a friend, that type of thing. by friending these ‘people’, you’re effectively giving them access to whatever personal information resides on your Facebook page, and you’re giving them access to every Facebook friend you have.

The message here? Guard your information – your corporate information, your personal information, everything – as if it was a helpless child.

That’s a pretty good analogy.

Written by Malcolm James

0 Comments

  1. Katrina · May 2, 2013

    Nothing’s safe anymore nowadays, especially from spammers. It looks like they’ve spread their wings and embraced other methods of acquiring information that’s not theirs. I mean, like what you said, this type of work (if you can call it that!) entailed a lot of research. That’s why I believe this spamming level is scary. They now have means of getting around the fences! It’s scary to think they’re trying to find an answer to every anti-spam tool, including the new ones! So yes, I agree. We should guard – double guard! – our information! In all possible ways we can!

  2. Mark · May 16, 2013

    This is very interesting. As far as I know, those who belong to the upper management are the ones who don’t clearly appreciate IT upgrades, investments, and security. After all, they’re costly, and somehow, some people below these executives also don’t know the value of a great IT system. Now with this news, I’m hoping they’ll give online security more consideration.

  3. Sohaib · May 29, 2013

    There are actually a lot of factors that have caused this leak. One is the lack of security. As Mark pointed out, some companies just tend to take online threats for granted. Second is a very weak IT staff and policies. Third is aggressive data mining. Otherwise, how were they able to generate this if not for that, right?

  4. Katrina · August 3, 2013

    @Mark and @Sohaib, you both are right! I know a lot of upper management people who have no idea what spam threats are all about . So they don’t care about things like upgrades and increasing IT investments. For them, as long as there’s anti-malware, safety won’t be a problem anymore. Maybe IT guys should explain things to them using simple words?…Online threats are as real as real can be and should be given the attention they deserve. Otherwise, danger will always be lurking everywhere…@Sohaib: I agree. Data mining should be part of the action plan of any company seriously fighting spam.

Leave A Reply