Hello, This Is Microsoft: A Social Engineering Staple
Cyber sleuthing is easier than you think.
Residing in the information age presents both blessings and challenges. Whether intentionally disclosed or not, your organization's information is easily accessible and can be located on numerous websites.
Organization’s formation information
Address
Contact information
Person(s) who formed the organization
Organization’s hierarchy and employment status
Employees
Employee titles
Employee salary ranges
Position Titles
Open Employment Positions
Organization’s Communication Channels
Domains
Emails
Phone Numbers
Chat Portals
Ticketing Solutions
Utilizing data effectively.
A solitary piece of information may often seem harmless, but the real danger arises when multiple data points can be assembled to create a comprehensive profile of a person or organization. This amalgamation of information can then be exploited for malicious purposes. The following are some combinations commonly employed by threat actors.
-
The email prefix structure follows a generic format for readability and name recognition:
firstname@domain.com [e.g., luke@tatooineindustries.com]
firstname.lastname@domain.com [e.g., luke.skywalker@tatooineindustries.com]
lastname.firstname@domain.com [e.g., skywalker.luke@tatooineindustries.com]
firstinitial+lastname@domain.com [e.g., lskywalker@tatooineindustries.com]
Once a threat actor determines the organization's email prefix, identifying the domain becomes a relatively straightforward task. In most cases, an organization's website address serves as its email domain. However, if this is not the case, threat actors may attempt to discover a generic email, such as support@domain.com or info@domain.com, to fulfill the domain requirement.
Furthermore, by leveraging platforms like LinkedIn, threat actors can browse through the profiles of employees within the targeted organization, constructing a precise target list.
While this process may seem complex, automated tools such as web scraping tools or built in search tools through platforms, can streamline the collection of this information. Alternatively, threat actors can turn to illicit data dealers, purchasing a database of email addresses from past public breaches for a nominal fee.
The ultimate goal of these efforts is to execute a phishing campaign against the organization, aiming to gain unauthorized access to account credentials, systems, or sensitive data.
-
Organization websites act as essential hubs of information, providing a foundational overview of services, mission, and values. Many sites offer diverse contact options, including email, phone, and online forms, facilitating easy engagement and fostering transparency.
Targeting the Organization:
Depending on the available information, a threat actor could exploit the communication channels provided to impersonate an official employee, thereby gaining unauthorized access to their account. As straightforward as claiming "I forgot my password," this method can be deceptively simple yet effective.
Targeting the Individual:
Threat actors can leverage the organization's website to gather generic information, enabling them to assume the identity of an employee. This acquired information serves as a foundation for creating a social profile on third-party platforms, building a reputation, and using gained trust to access organizational data. These attacks are often persistent, spanning months, with the primary goal being continuous information gathering.
-
Organization’s will usually place their partnerships/vendor relationships on their website in order to provide brand recognition to would be prospects. While it may not be direct financial institutions, an indirect breach of systems can lead to financial gain for threat actors.
Whether thats reaching out to the organization’s client partners to breach their systems or interacting with a key infrastructure partner to gain leverage on the organization, these partnerships open a myriad of attack vectors.
Social engineering is phishing’s best friend.
Successful phishing campaigns typically leverage a blend of contextual organizational knowledge, brand recognition, understanding systemic or social hierarchies, and strategically implemented calls to action. Whether it's convincing a support desk they’re a user at the organization that needs to reset a password and grant Multi-Factor Authentication (MFA) authority to regain access to a locked system, convincing a CFO to initiate a wire transfer to settle an organizational debt, or providing a malicious file titled “Proposal” to a finance team, threat actors skillfully incorporate fragments of information to enhance credibility and persuade the end user.
Learn more about phishing in a prior post here.
How realistic is this scenario?
Whether you're a large enterprise or an individual, chances are you've encountered situations where someone has called or emailed, posing as IT Support, Microsoft, the IRS, Bank of America, Amazon, Verizon, or any other entity—whether internal or a governing body. Below you will find a quick list of organizations that have fallen victim to social engineering attacks.
An uphill battle.
As long as there is financial gain to be had, threat actors will persist in deploying this highly effective attack vector. To proactively navigate this landscape, we've outlined steps that organizations or individuals can take to enhance their protection in our phishing post.
We are an email away.
If you have any more questions or seeking guidance, feel free to reach out and have a chat with the team. We are here to help!