Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Publicly Available Data Enables Enterprise Cyberattacks

Adversaries scour social media platforms and use other tactics to gather information that facilitates targeted enterprise attacks, research shows.

Most security leaders are acutely aware of the threat phishing scams pose to enterprise security. What garners less attention is the vast amount of publicly available information about organizations and their employees that enables these attacks.

Kaspersky researchers recently examined the different methods cybercriminals use to gather publicly available and seemingly non-threatening information about companies and dox, or attack, them with it. The security vendor found adversaries are putting considerably more effort and resources into gathering data for enterprise attacks than they would in attacks on individual users because of the potentially higher monetary payoffs.

Related Content:

Companies See Business In 'Doxing' The Adversary

Special Report: How Data Breaches Affect the Enterprise

New From The Edge:What You Need to Know -- or Remember -- About Web Shells

"Public data is the first step to collecting private data," says Roman Dedenok, security researcher at Kaspersky. Contrary to perception, attackers don't always need to hack into systems in order to gain access to an organization's confidential data, he says.  It's often easier for cybercriminals to hack an organization using the human factor, Dedenok says. "Cybercriminals can use public information to collect private data and also get access to the company's finances and cause damage to reputation."

Kaspersky found that publicly accessible online sources, including social media platforms such as LinkedIn and Facebook, are the primary and often richest sources of information for phishers and other cybercriminals. Such platforms often reveal the names and positions of employees and key executives such as the CEO, head of HR, and people in charge of finance and accounting.

The information publicly available on these sites — such as a top executive's 'friends' or connections — can help adversaries quickly figure out an organization's hierarchy, an executive's direct subordinates, and other information that can be extremely useful in carrying out attacks. Even seemingly inconsequential data, like an individual's post on Facebook about restaurants, gyms, or places they visit can provide useful fodder for phishing and other social engineering attacks.

Business email compromise (BEC) is one example of the kind of attacks this data can enable, according to Kaspersky. Attackers often use data about individuals and their organizations gleaned from publicly accessible forums to gain a victim's trust. A common tactic is to pose as the victim's superior, fellow employee, or third-party representative to get the victim to take some action; for example, parting with their credentials, stealing sensitive data, or initiating wire transfers to an attacker-controlled account. In February alone, Kaspersky researchers registered a total of 1,646 unique BEC attacks.

Kaspersky found credential leaks, such as those involving improperly configured Amazon cloud storage buckets, to be another big source of helpful data for criminals. In recent years, there has been a significant uptick in these types of leaks, which have resulted in heightened risk for the owners of leaked data repositories.

The Tracking Pixel Threat

Another method common among attackers involves the so-called 'tracking pixel', a technique that mass e-mailers use to know if an email recipient opened the message or not, Kaspersky observed. Attackers often use this utility in emails sent to targeted recipients to gather information on when emails were typically opened and the recipient's email client, IP address, and other data they can use to impersonate another individual in future attacks.

The threat to organizations from such doxing can vary, Dedenok says. "For some companies the loss of a large amount of money may be critical, for others - leak of a private secret information can be disaster," he notes.

Information gathered from publicly available sources can help attackers access data that can later be used as leverage to extort money from victims. If an organization refuses to pay, they could suffer brand damage when the compromised data later surfaces on some criminal forum, he notes.

"Usually this is either extortion of money, or brand and reputational damage," Dedenok says. "There may be exotic cases [where] cybercriminals [might] publish private data in order to lower the company's shares and make money on it."

Kaspersky recommends that organizations establish and enforce a rigid rule prohibiting employees from discussing work-related matters on publicly accessible forums. Employees also need to be made aware of the risks and aggressive tactics that cybercriminals use to gather data that might be handy in attacks against businesses.

"In order for companies to prevent employees from discussing work processes in third-party messengers/social networks, it is necessary not only to prohibit this, but to explain why it is dangerous," Dedenok said. "This is a difficult, but necessary task."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.