This post has been modified to reflect new information since its original publication.
Corporate IT security has never been more important, yet even the most sophisticated software defenses can’t protect against human error.
It should come as no surprise, therefore, that attackers increasingly rely on spear phishing and other social engineering approaches to break into corporate IT systems. In particular, when it comes to hacking executives and other high-value targets, it pays for cybercriminals to mount sophisticated, highly personalized attacks against their marks.
Security-focused user training has arisen as a partial solution to this problem, but it has its limitations: compliance is never perfect, and any good social engineer will always be a step ahead of the curve.
This is why companies should also focus on making social engineering more difficult to pull off. How? By obscuring sources of personal information that can be used to customize attacks. This security-focused scrubbing process is key to our privacy solutions here at ReputationDefender.
The rise of executive social engineering
Given the time and effort required to mount a personalized spear-phishing attack, it makes sense that hackers would focus on the most lucrative targets. As such, executives are increasingly in the crosshairs, according to figures provided by the FBI. That’s because executives offer that goldilocks combination of high value at moderate effort that makes for a successful scam.
Low-level employees may be easier to trick, but they rarely have extended access to IT systems, making them less attractive as targets. Conversely, sysadmins and other IT professionals do have high-level access, but they are aware of the latest threats and cautious in their behavior.
Now consider executives. They often have access to many systems, they need to move quickly in order to fulfill their duties, and it’s not unusual for them to delegate tasks to others. This profile makes for an attractive, achievable target. Once an executive’s system is compromised, attackers can access large quantities of data, spread malware throughout the company, and/or impersonate the executive in order to commit financial fraud.
This threat to executives is not hypothetical. Research conducted by Wombat Security demonstrates that one in three Fortune 500 executives have fallen for a spear-phishing attack. Moreover, these attacks are often highly sophisticated, as demonstrated by schemes like DarkHotel that feature kernel-level key logging and security certificate forging. To make matters worse, average losses for corporate cybersecurity breaches run in the millions.
The anatomy of an executive cyberattack
Over the past few years, a number of prominent executive spear-phishing scams have highlighted the severity of the threat and the sophistication of the attacks. One of the most illustrative for our purposes is the Scoular Co. wire fraud hack, which ended up costing that company over $17 million in losses in 2015.
In carrying out the attack, hackers impersonated the CEO of Scoular while he was traveling, and they then asked the company controller to wire funds to a bank account overseas. To legitimize the transfer, the attackers did two things.
First, they referenced a foreign business deal that was in the works at Scoular, as well as US regulatory requirements involved in the deal that would require confidentiality. In addition, they did so with enough personalization from the CEO to make it seem natural.
Second, they provided the name and contact information of a partner at KPMG, Scoular’s accounting firm, who would manage the transfer. These details made the request look authentic, and the controller called the KPMG contact to confirm the details.
Of course, the KPMG contact information was fake. When the controller called the partner to confirm the transfer, a scammer picked up the phone instead. Shortly thereafter, the controller wired more than $17 million to an overseas bank account. Those funds then promptly disappeared.
What we can learn from Scoular
The most important thing to notice about the Scoular hack is how the fraud was legitimized. The attackers knew about the business deal and the regulatory challenges involved, they knew to pose as the CEO to contact the controller, they knew to send the request when the CEO was traveling, and they knew which accounting firm the company used. This level of personalization allowed them to request large sums of money without raising eyebrows.
To achieve this extreme specificity, the scammers would have needed to collect publicly available information about the business and personal information about the CEO. They also must have known something about the CEO’s travel schedule.
Clearly, much of the business information used in a scam like this will be easy to find, since virtually all companies share information about their activities, whether through press releases, conferences, sales materials or other business channels.
However, less obvious is how the personal and travel details were sourced. In an interview with the Financial Times, FBI cybercrimes agent Mitchell Thompson explains that these components are often gleaned from online research. People-search sites can provide a wealth of personal information about an individual’s family, and unsecured social media posts are a great way to verify that someone is traveling away from the office.
It was the combination of these different types of information that allowed the attackers to carry out the Scoular fraud. If any of these sources of information had been missing, the story might have sounded fishy, or the timing might have been off.
How to prevent executive social engineering
The best defense against this type of cyberattack is the obfuscation of publicly available data. Of course, company information usually needs to stay public, both for business and regulatory reasons. However, there are many types of personal information that don’t have to be available to the general public and can be obscured. Making this information harder to find significantly reduces the threat of falling prey to a spear-phishing attack.
People-search sites – There are a large number of data aggregator companies that scrape public records, government sites, and marketing databases to create detailed, personalized profiles of individuals. Many of these sites offer information for free or at a low cost to anyone who asks for it. By opting out of people-search services, personally identifiable information about executives becomes much harder to find.
Unlocked social media – Too many people leave their social media accounts unlocked, or with only minimal privacy protections. Sometimes the executive’s account itself is unlocked. At other times, the account of a family member provides information about the executive indirectly. Either way, lax privacy settings on social media offer a wealth of contextual information for social engineers to exploit. Regular audits and adjustments to privacy settings are key to keeping social media locked down.
Unfortunately, putting these two broad principles into practice involves a fair amount of legwork. There are many people-search sites out there, and each has a different opt-out procedure and process. Worse yet, most of these sites generate records automatically, causing personal information to reappear periodically even after an opt-out request has been processed.
Similarly in social media, as platforms evolve and features change, what was once a fairly private account can unwittingly become exposed.
ExecutivePrivacy by ReputationDefender solves many of these logistical problems by issuing opt-out requests on behalf of our customers, monitoring for any new records that appear, and auditing other online sources for potential privacy leaks. Increasingly in demand from the security sector, ExecutivePrivacy defends against executive spear phishing by making it much harder for hackers to find the types of information they need to personalize their attacks. To learn more about how privacy protection can bolster your cybersecurity efforts, talk to one of our privacy experts.