Email Continues to Confound Businesses
For all the talk of threat actors’ growing degree of sophistication, their favorite attack method continues to be remarkably prosaic: sending malicious emails to employees and then hoping they open it and click on the link. It’s popular because it works.
That doesn’t mean people are necessarily foolish. “People always used to say to me ‘Why do people click on emails and open the links?’” Payton said. “And I would say, ‘Because it’s their job.’”
At the same time, hackers are getting more sophisticated in their social engineering tactics. To illustrate the point, Payton took her audience through a common methodology used by threat actors when targeting a victim.
The hacker starts by gathering publicly available data about, say, the CEO of a publicly traded business. Free tools available online can provide the hacker with a list of potential email addresses and office phone numbers and even potential cellphone numbers for that person. From there, the hacker looks for potential passwords that might have leaked. Other tools will provide access to the targeted CEO’s personal social media accounts and allow the hacker to examine the metadata of the photos the CEO has shared, providing clues to where the target spends time and perhaps even where he or she lives.
READ MORE: How to keep ransomware at bay with an effective backup strategy.
“You get a heat map of where the person has been,” she said. “I can get a pattern of their life and start to see what looks like a vacation spot and what looks like their residence.”
Another common tactic is to search LinkedIn for anyone who has posted a phrase such as “I’m looking forward to starting my new position.” Many people makes statements like that on LinkedIn every day. The hacker can then craft a phishing email to that individual, posing as his or her new employer’s CISO, and instructing the employees to visit a portal to take the company’s cybersecurity training.
The CISO tells the employee that it’s vital that this training is completed — and quickly. All they have to do is click the link.
“Why am I telling you this? It’s not so that you’ll never use LinkedIn again,” Payton said. “On the contrary, I’m telling you this to show that you are better than these guys. You can outsmart them.”