The Quantum Mechanics of Spear Phishing
One of problems we see in the last couple of years, has a direct connection to the rise of social networking. Social networks such as Facebook, LinkedIn and others, may hide our most valuable personal information, but it exposes some.
A Spear Phishing attack is an attack where the hacker targets a specific identity within an organization in order to either steal information directly from this entity, or use it as a springboard into the corporate network.
If a hacker wishes to gain access to a database within an organization, the best way to do so will be to gain access to a DBA’s computer. Why? This job role will have almost unlimited access to corporate data.
The Social Connection
In the information age, anyone who’s anyone , and wishes to advance and improve his Career and business network, uses some sort of a social network online to show “I exist.” However it introduces some serious risks.
Social networks such as LinkedIn allow very simple search by head hunters, HR or sales organizations in order to target specific individuals for employment. With the industrialization of hacking, what is the hackers view?
A Hacker that whishes to SpearPhish a DBA at a company may find that identifying the targets have become a lot easier. All you really have to do is use a tool like LinkedIn’s Advanced Search and look for “DBA” as current job, and “<put-company-name-here>” as current company, maybe add the industry – and you’re done . LinkedIn will do the job for you:
Search results will show us exactly who to target.
What can individuals and companies do to protect themselves?
- Don’t accept ALL invites you receive in your social network. Not everyone is trying to hire you or make business with you, some just want to get your contact info after they target you so they can send the phishing emails etc.
- Treat Social Network messages like you do with your Emails. Check who is it from and understand context before you choose to reply.
- Make sure that in your social networks profiles, you are not sharing your contact information, unless you explicitly approve them.
- As an organization, have the tools to protect your employees from such scams, and a policy in place.
- Education: train employees and raise the levels of awareness.
- Assume you've been compromised. For more, read this.
Authors & Topics: