So, how do attackers collect information about their targets? Cybercriminals can employ five types of intelligence to obtain and analyze information about their targets. They are:
OSINT is a hacking technique used to gather and evaluate publicly available information about organizations and their employees.
OSINT technologies can help threat actors learn about their target's IT and security infrastructure, exploitable assets including open ports and email addresses, IP addresses, vulnerabilities in websites, servers, and IoT (Internet of Things) devices, leaked or stolen passwords, and more. Attackers use this information to conduct social engineering assaults.
Although SOCMINT is a subset of OSINT, it is worth mentioning. Most people freely provide personal and professional information about themselves on major social networking sites, including their headshot, interests and hobbies, family, friends, and connections, where they live and work, current job positions, and a variety of other characteristics.
Attackers can use SOCINT software like Social Analyzer, Whatsmyname, and NameCheckup.com to filter social media activity and information about individuals to create tailored social engineering frauds.
Assume you download a free chess app for your phone. A tiny section of the app displays location-based adverts from sponsors and event organizers, informing users about local players, events, and chess meetups.
When this ad is displayed, the app sends certain information about the user to the advertising exchange service, such as IP addresses, the operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc.
Ad exchanges typically keep and process this information to serve appropriate adverts depending on user interests, behavior, and geography. Ad exchanges also sell this vital information.
The Dark Web is a billion-dollar illegal marketplace that trades corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, and so on. The Dark Web sells billions of stolen records, including personally identifiable information, healthcare records, financial and transaction data, corporate data, and compromised credentials.
Threat actors can buy off-the-shelf data and use it for social engineering campaigns. They can even hire professionals to socially engineer people on their behalf or identify hidden vulnerabilities in target businesses. In addition, there are hidden internet forums and instant messaging services (such as Telegram) where people can learn more about possible targets.
In addition to the five basic disciplines, some analysts refer to AI as the sixth intelligence discipline. With recent breakthroughs in generative AI technologies, such as Google Gemini and ChatGPT, it's easy to envisage fraudsters using AI tools to collect, ingest, process, and filter information about their targets.
Threat researchers have already reported the appearance of dangerous AI-based tools on Dark Web forums such as FraudGPT and WormGPT. Such technologies can greatly reduce social engineers' research time while also providing actionable information to help them carry out social engineering projects.
All social engineering assaults are rooted in information and its negligent treatment. Businesses and employees who can limit their information exposure will significantly lessen their vulnerability to social engineering attacks. Here's how.
Monthly training: Use phishing simulators and classroom training to teach employees not to disclose sensitive or personal information about themselves, their families, coworkers, or the organization.
Draft AI-use policies: Make it plain to employees what constitutes acceptable and unacceptable online activity. For example, it is unacceptable to prompt ChatGPT with a line of code or private data, as well as to respond to strange or questionable queries without sufficient verification.
Utilize the same tools that hackers use: Use the same intelligence sources mentioned above to proactively determine how much information about your firm, its people, and its infrastructure is available online. Create a continuous procedure to decrease this exposure.
Good cybersecurity hygiene begins with addressing the fundamental issues. Social engineering and poor decision-making are to blame for 80% to 90% of all cyberattacks. Organizations must prioritize two objectives: limiting information exposure and managing human behavior through training exercises and education. Organizations can dramatically lower their threat exposure and its possible downstream impact by focusing on these two areas.
Carpetright, an eminent flooring retailer in the UK, has fallen victim to a cyber attack, causing disruption to its operations and affecting hundreds of customer orders. Last week, hackers targeted the flooring specialist’s head office in Purfleet, Essex, by sending malware to gain unauthorised access. As a result, customers have been unable to place orders on the company's website or in any of its 400 shops since last Thursday, when systems were taken offline. A spokesperson for the retailer expressed regret for any inconvenience caused, stating, “We are not aware of any customer or colleague data being impacted by this incident and are currently conducting tests and resetting systems, with investigations ongoing.”
The malware infiltration prompted a response from Carpetright's IT security team, who took the drastic measure of taking the entire network offline to contain the threat and prevent further spread. As a result, essential systems crucial for day-to-day operations, including payroll information and employee booking portals, became inaccessible.
The consequences of the attack extended beyond the company's internal operations, as phone lines remained down, leaving customers unable to reach support. Despite the disruption, company officials assured stakeholders that no customer or colleague data had been compromised.
Rising Threat of Cyber Attacks
The cyber attack on Carpetright comes amidst a concerning trend, with recent surveys indicating a sharp increase in cyber attacks targeting British businesses. According to the findings, half of British businesses reported experiencing a cyber attack within the past year, marking a terrific uptick from previous years.
NHS Dumfries and Galloway and British Library Targeted
The incident at Carpetright follows similar cyber attacks on critical institutions, including NHS Dumfries and Galloway and the British Library. Last month, NHS Dumfries and Galloway fell victim to a ransomware attack orchestrated by the INC Ransom group, resulting in the unauthorised access of patient data. The breach raised concerns about patient confidentiality and highlighted the vulnerability of healthcare infrastructure to cyber threats.
In a separate incident, the British Library suffered a major technology outage following a cyber attack by the Rhysida ransomware group. The attack disrupted operations at the renowned research library and underlined the institution of cyber criminals targeting high-profile institutions.
Challenges Faced by Carpetright
The cyber attack compounds the challenges faced by Carpetright in contemporary times, as the company navigates a downturn in demand and heightened competition. Founded in 1988 by Philip Harris, Carpetright has weathered various storms over the years, including its delisting from the London Stock Exchange in 2019 following its acquisition by Meditor, a British hedge fund.
As Carpetright seeks to recover from the cyber attack and adapt to the unfolding market dynamics, its resilience and ability to innovate will be critical in ensuring its long-term viability amidst ongoing uncertainties, including the cost of living crisis impacting consumer behaviour.
A hacking group responsible for cyberattacks on water systems in the United States, Poland, and France is linked to the Russian military, according to a cybersecurity firm, indicating that Moscow may escalate its efforts to target opponents' infrastructure.
Sandworm has long been known as Unit 74455 of Russia's GRU military intelligence organization, and it has been linked to attacks on Ukrainian telecom providers as well as the NotPetya malware campaign, which damaged companies worldwide.
Researchers at Mandiant, a security business owned by Google Cloud, discovered that Sandworm appears to have a direct link to multiple pro-Russia hacktivist organizations. Mandiant believes Sandworm can "direct and influence" the activities of Russia's Cyber Army.
One of them is the Cyber Army of Russia Reborn (CARR), also known as the Cyber Army of Russia, which has claimed responsibility for cyberattacks against water infrastructure this year.
One attack occurred in Muleshoe, Texas, causing a water tower to overflow and spilling tens of thousands of gallons of water down the street.
Ramon Sanchez, the city's manager, told The Washington Post that the password for the system's control system interface had been compromised, adding, "You don't think that's going to happen to you." Around the same time, two additional north Texas communities, Abernathy and Hale Center, discovered hostile activity on their networks.
APT44 is not your run-of-the-mill hacking group. It operates with surgical precision, blending espionage, sabotage, and influence operations into a seamless playbook. Unlike specialized units, APT44 is a jack-of-all-trades, capable of infiltrating networks, manipulating information, and disrupting critical infrastructure.
Ukraine has borne the brunt of APT44’s wrath. The group’s aggressive cyber sabotage tactics have targeted critical sectors, including energy and transportation. Their weapon of choice? Wiper malware that erases data and cripples systems. These attacks often coincide with conventional military offensives, amplifying their impact.
But APT44’s reach extends far beyond Ukraine’s borders. It operates in geopolitical hotspots, aligning its actions with Russia’s strategic interests. As the world gears up for national elections, APT44’s interference attempts pose a grave threat. Imagine a digital hand tampering with the scales of democracy.
Mandiant has officially christened Sandworm as APT44. This isn’t just a name change; it’s a recognition of the group’s maturity and menace. The report provides insights into APT44’s new operations, retrospective analysis, and context. Organizations must heed the warning signs and fortify their defenses.
The Federal Bureau of Investigation (FBI) has alerted the public to a widespread SMS phishing scam sweeping across the United States. The scam, which began in early March 2024, specifically targets individuals with fraudulent messages regarding unpaid road toll fees.
What Does The Scam Entails?
Thousands of Americans have already fallen victim to this harrowing scam, with over 2,000 complaints flooding the FBI's Internet Crime Complaint Center (IC3) from at least three states. The deceptive messages typically claim that the recipient owes money for outstanding tolls, urging them to click on embedded hyperlinks.
The perpetrators behind these attacks employ sophisticated tactics to deceive their targets. By impersonating legitimate toll services and altering phone numbers to match those of the respective states, they create a false sense of authenticity. However, the links provided within the messages lead to fake websites designed to extract personal and financial information from unsuspecting victims.
Cautionary Advice
Authorities are urging individuals who receive such messages to exercise caution and take immediate action. The Pennsylvania Turnpike, one of the affected toll services, has advised recipients not to click on any suspicious links and to promptly delete the messages. Similarly, the Pennsylvania State Police have issued warnings about the scam, emphasising the dangers of providing personal information to fraudulent sources.
To safeguard against falling prey to this scam, the FBI recommends several preventive measures. Victims are encouraged to file complaints with the IC3, providing details such as the scammer's phone number and the fraudulent website. Additionally, individuals should verify their toll accounts using the legitimate websites of the respective toll services and contact customer service for further assistance. Any suspicious messages should be promptly deleted, and if personal information has been compromised, immediate steps should be taken to secure financial accounts and dispute any unauthorised charges.
What Is Smishing?
Smishing, a blend of "SMS" and "phishing," is a form of social engineering attack wherein fraudulent text messages are used to deceive individuals into divulging sensitive information or downloading malware. In this instance, the scam preys on individuals' concerns regarding unpaid toll fees, exploiting their trust in official communication channels.
As the SMS phishing scam continues to proliferate, it is imperative for individuals to remain vigilant and sceptical of unsolicited messages. By staying informed and taking proactive measures to protect personal information, users can mitigate the risks posed by such malicious activities. Authorities are actively investigating these incidents, but it is crucial for the public to be proactive in safeguarding their financial and personal information from exploitation.
In this blog, we delve into these techniques and explore their implications for organizations relying on SharePoint for collaboration and document management.
The first technique leverages the “open in app” feature in SharePoint. Here’s how it works:
Objective: Access and download files while leaving minimal traces in the audit log.
Execution:
Advantages:
The second technique exploits the User-Agent associated with Microsoft SkyDriveSync. Here’s how it operates:
Objective: Download files (or entire sites) while mislabeling events as file syncs instead of downloads.
Execution:
Advantages:
These techniques pose significant challenges for organizations relying on SharePoint for collaboration and data management. Here are some considerations:
1. Audit Log Monitoring: Organizations must enhance their audit log monitoring capabilities to detect anomalies related to access events and file syncs. Regular review of audit logs can help identify suspicious patterns.
2. User Training: Educate users about the risks associated with the “open in app” feature and the importance of adhering to security policies. Limit access to this feature where possible.
3. User-Agent Analysis: Security teams should closely analyze User-Agent headers to differentiate legitimate file syncs from potential exfiltration attempts. Anomalies in User-Agent strings may indicate malicious activity.
4. Behavioral Analytics: Implement behavioral analytics to identify abnormal user behavior. Unusual download patterns or frequent use of the “open in app” feature should trigger alerts.
5. Policy Enforcement: Consider adjusting security policies to account for these techniques. For example, enforce stricter controls on file sync events or limit access to certain SharePoint features.
Security is a continuous journey, and staying informed is the first step toward effective risk mitigation. By understanding these SharePoint evasion techniques, organizations can better protect their sensitive data and maintain the integrity of their collaboration platforms.