How recent data breaches can help you avoid a catfish attack
Suggestions that recent, high profile data breaches were enabled with so-called ‘catfish’ operations should not come as a surprise. The groups responsible, one of which is thought to be linked to the Iranian state, have been using this technique for several years and it is highly likely that other criminals are finding ways to make catfishing work for them, too.
Although, in recent cases, social media was being used to establish a level of trust as the basis for a subsequent attack, it is worth considering what else a potential attacker can gain from your social media profile, how they can potentially use this information and what you can do to prevent them.
Targeting the professionals’ network
LinkedIn is the natural first port of call for any attacker conducting a hostile reconnaissance on your organisation, with much of the information of interest generally being explicitly posted by the targeted individual. Pictures of security passes are always useful if an attacker is looking to gain physical access to a building, whereas screenshots, images of hardware and lists of skills relating to specific technologies/platforms are very useful in identifying a potential attack surface and vulnerabilities.
Even comparatively minor snippets of information, such as the names of meeting rooms or the dates and times of key meetings, can be used by attackers to lend a degree of credibility to their attempts to impersonate staff and elicit further information.
The LinkedIn links
Going beyond what is actually posted by an individual, it’s also worth considering what information the associations inherent in LinkedIn can provide an attacker. LinkedIn has a large number of potential linkages: recommendations, endorsements, likes/comments and the ‘People Also Viewed’ column.
The last category is particularly interesting. It has the potential to reveal significant information about an organisation’s structure and can allow an attacker to begin to understand the structure in detail. This is possible even when individuals do not publicly reveal for which organisation, or in which department, they work.
In tests against a known organisation, NCC Group analysts were able to replicate the structure with a good degree of accuracy using this methodology. Indeed, in some cases, analysts were able to identify the names of colleagues who were not even on LinkedIn - where an individual’s ‘People Also Viewed’ column is filled with links to different profiles of the same name, it indicates that people were searching for a colleague of that name.
Safety in numbers
The ability of an attacker to exploit LinkedIn connections suggests that the problem goes well beyond individual responsibility; your social media security hygiene may be impeccable, but you’re still at risk from colleagues and connections who are less careful.
For an organisation to have the best chance of withstanding attempts at hostile reconnaissance, enough of the potential targets must be secure enough to prevent effective social network analysis.
Locking down your LinkedIn profile
Here are our top tips for making your LinkedIn profile more secure:
Review the Settings & Privacy section of your account
The Settings & Privacy section can be accessed in the drop-down menu that appears when you click ‘Me’ at the top of the screen. Clearly there’s a trade-off between visibility and security; only you can decide where that balance should lie.
Think before you post
Posts often openly reveal potentially sensitive information. Pay special consideration to the following:
- Information relating to physical security. Pictures of passes, security infrastructure, keys, etc. are helpful in gaining physical entry to a location.
- Information which may indicate the hardware/software which is in use by you/your organisation. In particular, screenshots can give away far more information than you think, but also be aware of listing all the technologies which you have gained proficiency in during your current role. (This information is helpful for attackers seeking to identify potential technical vulnerabilities).
- Information about the location/pattern of life of key staff members.
- Information such as project names and codes. This would be useful to an attacker in impersonating someone in your organisation.
- Key events or timings within the organisation. This would be useful for selecting the time/date when an attack is most likely to be successful.
Think before you connect
For those working in sectors where security is a priority, it’s generally good advice to avoid connecting with people with whom you are not already acquainted. Consider the following points when assessing whether to accept a connection:
- Most – but not all - cat phishing attempts are built around the profile of a young, attractive female.
- Be alert to subtle clues, such as poor English (where relevant), inconsistencies in the profile and recently created profiles which lack existing, relevant connections within your industry.
- Although having mutual connections with the target may be an indicator that the profile is legitimate, it might just be an indication that some of your friends/colleagues have been suckered.
Consider removing the ‘People Also Viewed’ element from your profile, and consider how much information you are revealing when you give and receive recommendations, endorsements, likes and comments.
See it, report it
Report suspected catfish profiles to LinkedIn and alert others in your organisation/network to your concerns.
Using LinkedIn effectively requires a balance of competing priorities: security considerations have to weighed up against the potential advantages in regard to sales, marketing, industry collaboration and professional development.
NCC Group consultants have an in-depth understanding of the kind of information that attackers look for, where they look for it, and how they use it to target individuals and organisations. If you require it, we can provide your organisation with an attacker’s-eye view, showing the nature and extent of your digital footprint and its potential security implications.
Published date:  12 October 2017
Written by:  Tim Haines