Spear phishing is one of the most effective ways to break into a corporate network, and recent studies show that employees can be easily tricked on social media to provide the information needed to launch attacks.
A phishing attack is only as good as the information hackers are able to gather on the intended victim, who is less likely to click on a malicious link or attachment in an email that does appear to come from a trusted sender. As a result, criminals often research their targets on the Web.
For example, Websense Security Labs recently found a fake LinkedIn profile gathering information that could be used in future attacks.
The profile summary pretends to be that of "Jessica Reinsch," a made-up employee of a real dating Web site that connects young women with older, wealthy men. The site is located in Switzerland.
While Websense did not find any malicious code on the site, the vendor did find other related domains hosting "suspicious code." In addition, the IPs used to host the site are in the same autonomous system number (ASN) as multiple exploit kit command and control URLs, including those for RedKit and Neutrino, according to Websense.
The bogus profile had more than 400 connections with legitimate LinkedIn members, giving whoever was behind the account access to people's current employer, job titles, and connections on the network, which has more than 250 million members.
Jeff Debrosse, director of security research at Websense, said such information would be used to build a social graph of prominent individuals that could be used in spear-phishing attacks.
"That's worth a lot of money to the buyers of that information," Debrosse told CSOonline.
Businesses warned
While reconnaissance on potential victims grows more sophisticated, corporations appear to underestimate the threat. Almost 60 percent of 300 IT executives, administrators and professionals in U.S. organizations rated phishing as a "minimal" impact threat, according to an unscientific survey by ThreatSim.
While rating phishing as a low-level threat, more than one in four of the respondents reported phishing attacks that led to a "material breach within the last year." ThreatSim defined "material" as some form of malware infection, unauthorized access, and stolen data.
During a presentation at the RSA Europe security conference in Amsterdam last week, a cyberdefense specialist described an experiment that showed the effectiveness of using fake profiles on LinkedIn and Facebook to launch an attack.
Aamir Lakhani with IT service provider World Wide Technology described how the fake profile of an attractive female named Emily Williams was used to eventually get employees of an unnamed U.S. government agency to click on a link that could easily have been used to launch malware.
The bogus profile claimed Williams was a new hire at the agency with ten years experience and a 28-year-old graduate of the Massachusetts Institute of Technology. The researchers set up information about the woman on other Web sites to make the profile seem more credible.
Within 15 hours of launching the profile, Williams had 60 Facebook and 55 LinkedIn connections with agency employees and contractors. After 24 hours, she had three job offers from other companies.
The experiment pointed to the need for continuous training in organizations to reduce the chance of employees becoming victims of phishers.
"In the military it's called situational awareness," Lakhani told IDG News Service. "We need to develop situational awareness for this type of attack."