IT AUDIT & SECURITY
Scott Goodwin, Senior IT Security Analyst
7 October 2019
From the news media to government officials, everyone is talking about data breaches. But the real question is how are these malicious individuals gaining access to the data? Social engineering is the act of masquerading as a trusted individual to convince a victim to either work on your behalf or divulge confidential information. According to IAPP Daily Dashboard, a recent Verizon report stated that ninety percent (90%) of data breaches had an element of phishing or social engineering involved. Dealerships are definitely a target of social engineers because of the sensitive personal and financial data that they possess. There are many kinds of social engineering, such as phishing and spear-phishing, among others. Social engineering tactics all have something in common; utilizing strategies like open source intelligence (OSINT) makes them much easier to perform.
OSINT is a strategy used to collect publicly available data from the internet and turns it into valuable information that can be used for a variety of tasks. Many times, however, hackers will use this collected information as part of their reconnaissance process when targeting a specific organization. The term “public domain” is synonymous with the accessible areas of the Internet. This concept means that all publicly available data is readily accessible to whomever may be searching for it, including malicious actors. Through the means of OSINT, they can collect massive amounts of data about your organization and employees to leverage their attacks.
Both the good guys and bad actors monitor sites regularly visited by hack-ers, such as public forums and paste-style web pages. The idea behind these sites is that text or files can be uploaded anonymously by a visitor and are publicly available for all of the internet to see, visit, or download. Hackers will commonly release stolen information on these sites for a variety of reasons. Sometimes, they want to take credit for a breach, entice buyers into purchasing a data dump of sensitive information, or just to heighten the impact of a breach to a target organization. If a data dump of usernames and passwords occurs on one of these sites, anyone scraping the web with this website in scope will now have a copy of these records. Hackers can use business email addresses collected from these sources to per-form targeted phishing at-tacks, otherwise known as spear-fishing. Addition-ally, when business email addresses and passwords are released due to a third-party breach, there is an even greater risk to the dealership. This is because, although this was a breach of an external, third-party system, employees regularly reuse credentials. This could lead to attempted usage of the employee’s leaked credentials to gain unauthorized access to the dealership’s environment.
Social media and professional networking websites also pose a risk to companies because of the information that employees share online. Need a dealer-ship directory? Check out LinkedIn.com. Need to find out what vendors a dealer-ship uses? Just review the business connections of the executives. Using tools that crawl social media websites and ex-tract their data, hackers can compile a list of all employees who claim to work for a specific dealership. At this point the hackers will try numerous combinations of email naming conventions to identify active email addresses on the dealership’s email domain: @dealershipdomain.com. Eventually, they’ll find a way to email the targeted dealership’s staff.
A third method tried and tested by at-tackers is to utilize free, open-source software designed for the purpose of OSINT collection. Some software can provide its user with a chart of all data it can find on the internet surrounding user input, whether this be a requested name, email address, website, phone number, account name, etc. The application will then return relationship information about a person, a dealership, or a website. Because the software is free and relatively simple to navigate, it’s a big hit with malicious actors and security re-searchers alike. Other kinds of software can either grab data from web ports or help users gain a better understanding of an organization’s internet footprint.
It’s important to monitor the web for in-formation that is being uploaded about your dealership and remind employees of the risk of social media and the internet. Many dealerships should be sure to implement and require employees to sign social media and acceptable use policies. Additionally, annual security awareness training and phishing testing are a must. Find a vendor with expertise in this area and let them simulate a hack on your network. It’s good to pinpoint which technical areas with-in your infrastructure are vulnerable.
Using any of these methods, bad-acting social engineers have simplified their process of sending malicious payloads or attachments to dealership employees in an attempt to fool them into visiting an infected website, clicking a link or attachment and downloading malware on their computer, or sharing sensitive in-formation with the attacker. Whatever the hacker’s goal, there is no question that open-source intelligence collection from the public domain has shortened the time that it takes hackers to com-promise an organization. It’s time for us to recognize the new threats, and work to mitigate risk among our dealerships.