How cybercriminals harvest information for spear phishing

In analyzing targeted attacks over the past decade, we continually find a recurring theme: “It all started when the victim opened a phishing e-mail.” Why are spear-phishing e-mails so effective? It’s because they are contextualized and tailored to the specific victim. Victims’ social networks are often used as a source of information. Naturally, that leads to the question: How? How do cybercriminals find these accounts? To a large extent, it depends on how public the victim is. If someone’s data is published on a corporate website, perhaps with a detailed biography and a link to a LinkedIn profile, it’s quite simple. But if the only thing the cybercriminal has is an e-mail address, the task is far more complicated. And if they just took a picture of you entering the office of the target company, their chances of finding your profile in social networks are even lower. We conducted a small experiment to search for information based on scraps of data. This involved taking several colleagues, all with varying degrees of social media activity, and trying to find them using widely available search tools. Search by photo Needing to find a person based on a photo is not the most common scenario. We assume that it begins with the cybercriminal was positioned by the entrance to the target company building and covertly photographing everyone with a particular logo on their pass, after which the search commenced for a suitable spear-phishing victim. But where to begin? Two years ago (how time flies), we wrote about the FindFace service. Given certain conditions and the availability of several high-quality pics of a mark, the service can quickly match the image to a social media account. That said, since July of last year, the service has been inaccessible to the casual user. Its creators have been busy developing solutions for government and business, and now it is a fee-based service. Moreover, the creators said straight out that the public version was only a “demonstrator of possibilities.” However, the service should not be completely discounted. Sometimes cybercriminals are prepared to invest in additional tools to carry out a targeted attack. It all depends on the objective, although this option is bound to leave unwanted traces. Search by photo is freely available as a service from Google, which  also offers a search-by-photo browser extension that automatically scours various search services for photos. However, this method works only for photos already published online. So it is not applicable in our scenario — unless it’s an official photo from a website, but they are rarely published without additional information (first and last name). Nevertheless, we tried the search option. Google managed only to narrow down our volunteer to “gentleman,” even though he uses the same photo as an avatar in Facebook and other social networks. So, having taken a picture of you, we think cybercriminals are unlikely to match it to your profile without using a paid facial recognition service. First and last name When looking for