But the most fascinating part of our conversation concerned the role that social networks like Facebook and Twitter play in crafting attacks targeted to specific individuals – known as “spear phishing.” Cyber crooks will use information gleaned from social media to target important people in an organization, like a CFO or CEO.
“These guys are adept at penetrating C-level executives, who are actually the easiest to social engineer because they think the usual security rules don’t apply to them,” he says. “And if they get nailed they just blame IT for not protecting them.”
Attacks like this can be both sophisticated and subtle, Sjouwerman says. For example, using information gleaned from the Web, attackers can learn that a firm's CFO has lost a family member to cancer and is active in an anti-cancer foundation. They also learn what his favorite restaurant is. They then sent him an email to him pretending to be from the charity, asking for his feedback on a new fundraising campaign and offering a free dinner at that restaurant as a reward. The “fundraising campaign” contained in a PDF attachment is, of course, infected with malware.
“Once an executive opens a file like this, the attackers own him,” Sjouwerman says. “They can install a remote access program onto his PC, or a keylogger that records his name and password the moment he logs onto his bank or the company network and sends it on to the attackers, who may not use that information until months later.”
If that doesn’t worry you, it should. Most of us have large digital footprints that are hard to suppress. If you’ve got a LinkedIn account, tweet about your life, or make parts or all of your Facebook profile public, an attacker can learn enough about you to make it seem like he knows you. And even if you’ve locked down all your social media accounts so that only people you know can see this stuff about you, you’re still at risk. All it takes is for an attacker to befriend one of your friends or connections, and then gain access to your information from them.
The best defense, says Sjouwerman, is for users to get a lot smarter about identifying and avoiding attacks. KnowBe4 publishes a list of 22 red flags that indicate whether an email that looks legit really isn’t. My advice would be to memorize that list, and to never click a link in an email or open an attachment unless you’re truly sure it is what it appears to be – and not a backdoor into your network or your life.