Security Week 13: collecting data for attacks on businesses
Last week, Kaspersky Lab experts published analytical review basic techniques of corporate doxing. Doxing in general is generally understood as the collection of private information about individuals for subsequent dissemination. In the case of companies, it is more about the data collection stage before the attack is carried out. For example, to force the accounting department of an enterprise to transfer a large amount, you need to be convincing enough in mail or telephone conversations. This requires reconnaissance.
How is the data collected? First of all, they are obtained from open sources, starting with the list of employees on the company’s website. Social networks bring a lot of information: by the connections between employees’ accounts on LinkedIn, you can easily recreate the internal organizational structure, understand who reports to whom.
The next level is various types of attacks such as Business E-mail Compromise. A curious example of an attack begins with a real post by an employee on social media that he is on vacation. Further, the attackers on his behalf contact the accounting department and ask to change the bank details for the transfer of salaries. The inability to contact by phone to confirm the request is due to the stay in another country.
Attacks using corporate information leaked into the Network are located at a higher level in complexity. For example, internal company documents may be publicly available in the cloud. Even if they alone do not allow funds to be stolen, the information can be used for social engineering.
The most unusual example of a “mail” attack in the review is the use of a tracking pixel. It works like this: an employee of a company from top management receives seemingly meaningless emails, sometimes disguised as test mailings. It scans and deletes them, but the tracking image inserted into the body of the letter transmits a lot of data to the attackers: the IP from which the connection is made, as well as the approximate hours of work of the employee. Using this data, you can improve the accuracy of fraudulent messages that require “urgent contact with an external consultant” or “immediately transfer funds to a specified bank account.”
Phishing in the bulletin is divided into two categories: regular phishing and telephone phishing. With the usual, everything is clear, an example is given above. In such messages, as a rule, the user is asked to follow the link and enter the password from the corporate service. An example of voice phishing: we send an e-mail to an employee with a message allegedly about blocking an account. After a while, a phone call comes in, allegedly from a technical support employee on the same topic. As a successful example of support mimicry, attack on Twitter in the summer of 2020, when attackers gained access to the internal admin console.
The final part of the review describes completely non-standard types of corporate doxing. For example, hacking an account on the social network of a specific employee, without attacks on the corporate infrastructure. If the employee is a high-ranking employee, statements on his behalf in a private account can affect the company’s stock price and bring profit to the attackers. Finally, the future of corporate fraud is the synthesis of the voice of the company’s top managers to steal funds, damage reputation, and more. Single successful attacks were developed on the Clubhouse social network, where fake voice broadcasts on behalf of famous people were repeatedly noticed.
What else happened
The vulnerability in Microsoft Exchange is being closed at an incredibly fast pace. Microsoft report March 22 approvedthat 92% of vulnerable mail servers have already been patched. This is very fast compared to the speed of closing any other vulnerability, but not enough if you keep in mind the peculiarities of the hole, which gives full control over the server. Of the strange attacks on servers that did not update, or updated, but did not close an existing backdoor, last week was noted breaking into servers ostensibly on behalf of journalist Brian Krebs.
March 26th iOS, iPadOS, and watchOS update closes an actively exploited vulnerability in the WebKit engine that allows XSS attacks.
TikTok app source code analysis by CitizenLab did not reveal any violation of privacy. A caveat is required here: the experts did not find functions outside of the typical for this kind of development, but a lot of user data is still collected for advertising purposes.
ZDNet Edition writes about a real attack like BadUSB. A hospitality company received a USB flash drive in the mail, supposedly a free bonus from a major retail chain. In fact, the flash drive emulated a keyboard, which made it possible to download and install malicious code.
