While targeting executives requires more focus and planning, a successful attack on a high-value account provides attackers with unprecedented access to valuable data.
Cloudflare said that the attack was so sophisticated that any company would have fallen for it. The crux of the operation was targeting employees’ personal devices and even their family members.
According to Dr. Chris Pierson, CEO of cybersecurity firm BlackCloak, threat actors likely used data brokers to obtain this personal information about employees and their family members. Most companies are vulnerable to similar attacks - rank and file employees and higher-ups.
“Data brokers are a huge, overlooked threat for companies. It’s rare for a company to be proactive at removing this type of information on their employees or executives from the various data brokers that are out there,” Pierson told Cybernews.
"Many companies struggle to implement rigorous access controls for their employees, but even fewer are doing this for their executives and none in their personal lives,"Dr. Chris Pierson, CEO of BlackCloak, told Cybernews.
Recent targeted phishing campaigns against Twilio and Cloudflare involved threat actors using victims’ email addresses and telephone numbers. Do you think the data could have been obtained via data brokers?
We don’t yet know all the details in these cases, and some of the targeted phone numbers may have been exposed through the break of Twilio’s systems. However, I think it’s likely that the threat actor, in this case, may also be using data broker information to target victims. Data brokers are a huge, overlooked threat for companies.
It’s rare for a company to be proactive at removing this type of information on their employees or executives from the various data brokers that are out there, but it’s important to recognize that the type of personal information contained in data broker reports provides incredible opportunities for attackers.
With this information, they have the tools they need to launch targeted attacks on specific employees through personal accounts, personal devices, and home networks where the company’s security usually does not extend. This creates a prime opportunity for attackers to social engineer these employees, steal their credentials, and gain access to the company’s network.
Can you explain how a threat actor could use data brokers to obtain information necessary for an attack? Don’t data brokers have to anonymize the information they’re selling?
There are many different kinds of data brokers. We monitor approximately 200 that compile specific personal and private information about employees and executives. This information is not anonymized. In fact, the entire point of these services is to provide highly personal, individual-specific information.
A threat actor can use this information in many ways. The most common way is to use it for spear-phishing attacks on the individual at their personal email address or SMS. What makes data broker information so valuable to an attacker is that it contains private details about the person’s life and a means for contacting them.
These private details include a list of their family members, neighbors, current home address, previous addresses, cell phone numbers, family members’ cell phone numbers, personal email, social media accounts, and more. Some data brokers also collect criminal records, voting information, property records, etc. They may also collect home IP addresses, which would be very useful for attackers.
The personal information allows the attacker to craft a phishing message that is specific and personalized for that individual. This can be very persuasive and convince the victim that the person contacting them is from a legitimate company or organization. Since the brokers also provide contact details, the attacker can target an individual on their personal accounts, which are usually not monitored by their employer. An attacker could also cross-reference these accounts with stolen password lists to directly hijack the person’s accounts.
Previously, you said that 40% of online data brokers had the IP address of an executive’s home network. Could you elaborate on how such data would end up in data brokers’ hands and how threat actors could leverage that data to their benefit?
IP addresses likely end up in the hands of a data broker when an app on your device knows your address through GPS or the registered profile and cross-references this with the IP address from which the app is operating or sending a nightly 'heartbeat' to the server.
A home IP address would be very valuable to an attacker, as this will allow them to scan that network for any open or unpatched devices that can be compromised to steal information, infect other devices or hijack them.
What dangers does a targeted attack on an executive pose to a company? Could you elaborate on what such an attack would look like?
A C-suite executive is a golden ticket for an attacker, as this gives the cybercriminal direct access to accounts containing important information and provides a great deal of leverage when attempting to social engineer other employees. Many companies struggle to implement rigorous access controls for their employees, but even fewer are doing this for their executives and none in their personal lives. C-level executives usually have almost unfettered access to systems and data within the company, or they can request it from their employees.
For example, a cybercriminal who decides he wants to target a Fortune 500 company would probably start by doing some online research on the company’s website and on social media sites like LinkedIn to find specific executives with high-level access who would be ideal for them to target.
Once they have the person’s name and location, they can search for this person in any one of over 200 data brokers that provide extensive personal information. This profile will include personal details and the person’s email, social media accounts, and phone number. It may also have the executive’s home IP address.
With this information, the attacker could immediately cross-reference the email accounts with password dumps to see if there is a match or if there are other passwords for this person which they may be reusing on their personal or company accounts. In this way, an attacker could quickly move into the executive’s email or corporate accounts.
However, suppose this method doesn’t work. In that case, they are armed with enough personal information to craft a very convincing spear-phishing message, which may even spoof a family member’s email or phone number. They can trick the executive into installing malware or exposing their credentials.
The attacker will then move through these accounts to compromise the corporate accounts. As mentioned above, the attacker could also scan the executive’s home IP address to look for a vulnerable device that will give them a foothold on their private network.
We often find that Internet of Things products, home automation, and expensive customized security camera systems are ideal for gaining access to a personal network. Once on the network, the attacker can intercept or steal information, hack into devices, or spy on the executive and their family members. For example, we recently dealt with a case where an executive’s family member was recorded through a compromised web camera once the attacker gained a foothold on the computer and inside the home.
More from Cybernews:
Subscribe to our newsletter