June 24, 2008
In their mid-2008 security wrap-up, F-Secure notes that targeted attacks are on the increase. Some of the biggest targets are corporate executives in sensitive sectors such as energy, weapons research, and finance. In many cases, the victim is enticed via email into opening a malicious email attachment or visiting a nefarious website. But these email messages aren't the badly written, easy to spot scams most of us are familiar with. Instead, attackers pinpoint a specific person and include personal and often (seemingly) confidential details in order to appear as if the email were legitimate correspondence from a business associate or government entity. So how do attackers gain the type of knowledge needed to pull this off?
Part of the answer may lie in social networking sites. Attackers can create an account, find a weak friend of the target's, and get that friend to add them as a friend. Once the attacker is a friend of a friend, they may be able to leverage that relationship to get added as a friend by the target. This, of course, allows the attacker access to the target's profile, discover who their contacts are, and glean any other information provided as part of the service. It may seem far fetched, but the reality is that many people will add near (or perfect) strangers to their friend list - either as an attempt to boost their own perceived popularity or because they don't want to risk hurting the feelings of someone. The easiest way to avoid this type of casual disclosure is to never add friends you don't absolutely, really know. You can further minimize the risk by adding only those friends you actually do know and which whom you have a legitimate social or business need to remain in contact with.
Search engines can also reveal many personal and business details. To see what type of information is publicly searchable about you, simply pull up your favorite search engine, type in your name, and read through the results. If you've ever written a letter to the editor of a newspaper, commented on a blog, or participated in a community forum or mailing list, chances are you'll find all of these in the search results. And high-placed executives are also often quoted in press releases or their comments carried in news articles, providing even more fodder for attackers. In the latter case, an attacker can simply subscribe to a newsfeed with the target's name as a keyword in order to keep a current and running tab.
Those in sensitive sectors should also monitor the type of information discoverable about their spouse and children. Attackers have been known to target family members as well.
While there's not much that can be done about the information already available on the Web, forewarned is forearmed. Simply knowing the information is out there can help you avoid being tricked by the inclusion of personal details in an email.
It's a bit ironic that while the technology behind the Internet provides anonymity for would-be attackers, the Web itself can dissolve any semblance of privacy for would-be victims.