A new coup by cybercriminals is currently stirring the information security industry. Attackers have used so-called scraping to read read the data of more than 500 million LinkedIn profiles and are now offering them for sale to other cybercriminals. This is not a data leak in the strict sense, as LinkedIn emphasizes, but rather officially accessible profile information.
David Kelm, CEO of IT-Seal, is a social engineering & security awareness expert and has been working on this topic for nearly 10 years.
What can cyber criminals do with this information?
David Kelm: Although at first glance it may seem that this publicly available data from LinkedIn is less explosive, it still provides cyber attackers with a very effective tool. They can effectively use this personal information to conduct targeted spear phishing attacks on companies and their employees. Because the phishing emails are enriched with personal information. They are much harder to detect as phishing than generic mass phishing emails. Here, the attackers leverage the human factor and try to penetrate the company through it. The special form of these spear phishing e-mails based on publicly available information is called OSINT phishing.
So what does the publication of LinkedIn data mean for companies in particular?
David Kelm: The attackers can try to manipulate employees via social engineering - without the employee even noticing. With the personal information now available to the attackers, realistic scenarios can be mapped in emails that entice the employee to click on links, download files or enter log-in data. Just recently, this could be observed for SMS phishings, where people were addressed personally and received an alleged tracking link.
Once such a message has arrived and been opened or data entered, cyber criminals have free rein: the consequences range from ransomware infections, in which companies are blackmailed into paying a ransom, to data loss and financial losses due to business downtime or wire transfer fraud. In addition, damage to the company's reputation as part of a phishing attack also represents a consequence for many companies that should not be underestimated.
Now the two buzzwords social engineering and OSINT have already been mentioned in connection with phishing – what exactly is behind these two terms?
David Kelm: The term social engineering describes interpersonal techniques to influence others in order to achieve a specific goal. Attackers use various psychological tricks and social norms to create situations that are not perceived as dangerous at first. Everyday social interactions (e.g., a telephone conversation or an e-mail) are used as a channel. The cyber criminals try to get the target person to follow certain prompts and thus gain access to information or company networks.
As the protection provided by technical security systems becomes increasingly difficult to bypass, social engineering is gaining popularity: it is often technically impossible to detect such attacks. It is therefore essential that every employee pays attention to the topic of IT security and is aware of possible threats.
OSINT stands for Open Source Intelligence, which describes the extraction of information from freely publicly accessible sources, such as social media. This data is analyzed to gain actionable insights. In OSINT phishing, freely accessible data about the recipient is exploited to create an individual and personal spear phishing email that is hardly recognized as such. OSINT phishing is thus a particularly effective and dangerous tool used by cybercriminals.
How can companies protect themselves effectively and in the long term against cyber attacks?
David Kelm: To protect yourself and your company against cyber threats, you need a live security culture in your company. Only in this way employees can be made aware of information security in the long term and misconduct and security incidents effectively avoided. Three aspects need to be considered for such a security culture: The mindset, skillset and toolset. In the case of the former, it is important to communicate the security awareness campaign correctly. in order to create an understanding of the dangers among employees, to pick up the most important stakeholders and to define security culture as a corporate goal. Only through mental readiness to commit to corporate security can the following steps be successful. To achieve this, it is helpful to make such attacks tangible – e.g., via live hacking or phishing simulations. For the skillset, it is important to train skills and knowledge about how to behave securely with employees in as practical a manner as possible so that they can internalize them in the long term. Technical and organizational measures are used for a suitable toolset to make it easier for employees to implement the know-how acquired in awareness training.
Für eine solche Sicherheitskultur müssen drei Aspekte berücksichtigt werden: Das Mindset, Skillset und Toolset. Bei Ersterem kommt es darauf an, die Security-Awareness-Kampagne richtig zu kommunizieren, um bei Mitarbeitern Verständnis für die Gefahren zu schaffen, die wichtigsten Stakeholder abzuholen und Sicherheitskultur als Unternehmensziel festzulegen. Nur durch die mentale Bereitschaft sich für die Unternehmenssicherheit einzusetzen können die folgenden Schritte erfolgreich sein. Dafür ist es hilfreich, solche Angriffe nahbar zu machen – bspw. per Live-Hackings oder Phishing Simulationen.
How can IT-Seal support companies in establishing a security culture?
David Kelm: IT-Seal has many years of experience in social engineering and security awareness training and has already trained over 400 companies. We offer a simple and reliable workflow for IT security managers to efficiently sensitize their employees.
To do this, we use a combination of diverse training measures such as phishing simulations and interactive e-learning. To do this, we have a number of innovative technologies at our disposal, such as our patented spear phishing engine: just like a real attacker, it conducts OSINT research and uses the information gathered to create authentic, real-life spear phishing emails. This is an important security awareness training, especially in regard to the LinkedIn data release.
Our Awareness Engine, in turn, ensures awareness training on autopilot and that each employee is trained as much as necessary but as little as possible. The Awareness Engine thus relieves the IT security officer, but at the same time ensures the continuous and needs-based training of all employees.