For the fourth entry in the CYDERES Technical Blog Series, we’re going to be talking about what businesses and executives should know about their digital footprint and OSINT. Open Source Intelligence (OSINT) is the practice of using publicly available resources to gather information (i.e., intelligence) about persons or entities. The information gathered ranges from the relatively harmless, such as information from social media accounts, to more severe data like critical vulnerabilities on public-facing servers, and even login credentials.
This information gathering can take many forms and utilize multiple resources, but the most common method is the use of publicly available information from the internet. Mind you, performing OSINT is perfectly legal. It’s what is done with the data after it has been collected that determines if any laws have been broken, among other factors, i.e., your country’s laws, etc.
The reasons behind performing OSINT vary as much as the methodologies behind it. Still, one of the more common methods is reconnaissance for monetary gain through nefarious means. For example, an adversary can impersonate an employee or business partner requesting the transfer of funds to a specific account perpetrating a business email compromise (BEC) attack. They can also gain (unauthorized) access to a business’s computer network (cloud or on-premises) to steal proprietary or intellectual data, employee PII, credit card/banking information, or even employee credentials. All of this data can be sold in underground markets for monetary gain.
Before an adversary can do this, they must perform reconnaissance utilizing OSINT resources found on the internet to get an understanding of their target – your company. And there’s no shortage of OSINT tools available on the internet; try Googling “OSINT tools” and look at the number of results. The OSINT Framework provides several tools that can be used by anyone to gather information on an individual or company.
Google itself is probably the first OSINT tool that an adversary may use to gather intelligence about your organization. Try Googling your company and see how many hits return. Aside from your company’s web site, there may be results from LinkedIn, Twitter, Facebook; etc., etc. From there, it just becomes easier for the adversary to begin profiling your business, the employees, and other potential avenues that can be exploited to gain access to your network.
One vector of attack that adversaries employ is spear-phishing, and this targets specific employees within an organization. Using the search functions on LinkedIn, adversaries can quickly identify a particular company’s employees by searching for job titles like ‘Accountant’, ‘Payroll Specialist’, ‘HR Representative’ or ‘System Administrator’.
In the example below, an adversary can search for “Fishtech Group” on LinkedIn and then scroll through the employees until individuals with the job title of interest, such as ‘Accountant’ are found.
From there, adversaries can use tools within the OSINT Framework, which includes resources that can either provide specific email addresses for employees or provide typical naming conventions for given businesses.
The information below is found using mailshunt.com via the OSINT Framework web site. Simply typing in ‘fishtech.group’ returns several hits, including an employee’s email address. Now the adversary has names of individuals that can be targeted in the Accounting Department, along with the email format for those employees.
Along with additional information collected from social media sites, company web sites and the like, it’s not hard for an adversary to craft a realistic email impersonating an authority figure in the organization (or a business partner) and request fund transfers or other forms of payment from the targeted employee(s).
In 2019, the FBI recorded 23,755 instances of business email compromises that resulted in more than $1.7 billion in losses to targeted businesses.
Another common technique is looking for leaked credentials. It’s not uncommon for individuals to use the same passwords for both their business and personal accounts, and an adversary will use OSINT to collect leaked credentials associated with an organization, or from the social media accounts of its employees as a potential avenue for compromise.
If the intellectual property or other sensitive information of a business is stored in a cloud service like Concur, Paylocity, Atlassian, etc., it’s not difficult for an opportunistic adversary to identify individuals with access to those sites via social media and use their leaked credentials to gain access to the company’s data.
These are simple examples of how adversaries use OSINT techniques to perform reconnaissance and enumerate your business’s digital footprint. Other potential data sources could include internet-facing servers or applications that have system information posted on sites such as SHODAN, poorly managed cloud assets/applications hosting sensitive data and even a company’s web site “About Us” page could contain useful information for an adversary!
We live in an age where the internet has become ubiquitous and information is just a mouse-click away. Companies are quick to take advantage of this and develop their brand, but in doing so, can expose themselves to opportunistic hackers unwittingly by sharing too much information. The same can be said about a company’s employees. We are all too willing to showcase our skills by posting job titles and responsibilities on sites like LinkedIn to get the attention of future employers.
Sometimes information sharing is necessary; however, companies and their employees should try to limit what is being shared and consider how their digital footprint may empower malicious actors. The good news is that these tools are available to you as well and should be used to profile your company’s exposure for potential threats. Having a process in place to periodically review your company’s online presence can also help to identify sensitive data leaks, risks to brand reputation, and adversary targeting of executives. Whether your organization chooses to perform the research, or employs third-party services, understanding your threat surface is key to protecting your company’s assets.
At CYDERES, we can help you understand your threat surfaces, and secure your business. We will continue to post these technical blog posts on the third Thursday of every month to continue to increase your knowledge on the threats facing your business today, but if you’re ready to talk to us more in depth about the specifics of securing your own business, fill out the form below, and we will put you in contact with one of our experts. Stay tuned for our next article in July!