Everything we do online leaves a footprint: this is equally true for companies, which aren’t necessarily aware of the information available online about them and the digital traces left by their employees.
The issue? That information can be collected using OSINT methods (an intelligence gathering technique that uses public sources of information) and used for malicious purposes.
What is OSINT? What information can be collected and how can hackers exploit them for phishing and spear-phishing attacks?
What we call “Open Source INTelligence” (OSINT) comes from the intelligence sector. The idea? To find publicly available information (in particular online) on a target, to compare and recoup and to transform this into strategically actionable intelligence.
How can this information collection process be conducted? By using search engines (Google obviously, but not only since there are also search engines specifically for OSINT), online maps, the metadata of pictures… etc.
After being used in the intelligence industry, this technique can be used in the corporate sector for different purposes: competitive intelligence, economic oversight, online reputation tracking, cybersecurity… But even though OSINT is legal, it can be used for malicious purpoes.
Different channels can be used to find information related to a company and its employees: the company’s official communications of course (through its website), which is freely accessible online, satellite imagery( dated and available on Google Earth archives), social media (posts, pictures, videos, comments…), online forums…
In short, OSINT can reveal a wealth of information about a given company. Some of that can then be used for phishing attacks:
If some cybersecurity professionals use this information to educate a company and highlight some of its weaknesses (to allow the IT teams to correct them), they also represent a treasure trove for hackers who are preparing phishing campaigns.
Hackers use OSINT to gather relevant information the companies they target and therefore better prepare their phishing attacks.
It’s an essential tool of the reconnaissance phase that precedes a cyberattack.
Google is of course an essential tool for OSINT, but hackers don’t limit themselves to a basic use of the search engine. They’ll use “Google Dorks” searches that include advanced research features in order to find information that a “basic” research would not have found, and that companies might not be aware is publicly available.
Hackers also use specifically designed software or search engines to scan the web or social networks. Some of these tools might be publicly available, but others have to be bought and require technical skills to use. Their common feature is that they allow someone to aggregate a large amount of information and to recoup them (for example, with Searx or Kali Tools).
Mass phishing (sending the same phishing email at the same time to a company’s employees) is still a technique hackers use. But this is increasingly giving way to more targeted attacks. Spear-phishing, as they are called, targets specific employees based on their departments and/or jobs in a company with personalized attacks.
Better targeted, these attacks are more realistic. An email that seems to be from the CEO (the famous “CEO fraud email”), a colleague, a supplier or a customer is always more realistic and seems more genuine… even though it might be safe. These targeted and personalized attacks, better prepared, are therefore more dangerous.
Hacker groups like Exotic Lily (an Initial Access Broker) use OSINT to manually personalize their spear-phishing attacks, for example by creating fake companies and using reasons that are specific to their targets to communicate.
Another example is the Cobalt Dickens group (an Iran-affiliated actor) who conducted spear-phishing attacks against universities in the UK. These relied on extensive research on the teams, research topics, organisational structures of the targeted researchers in order to allow the group to contact them with tailored messages.
What can a phishing email that relies on OSINT look like? Here are three examples to illustrate (there are, of course, many more):
OSINT as a technique might be increasingly mentioned, it’s still something that many people ignore. Integrating OSINT to teach employees about cybersecurity requires, first, becoming aware of the footsteps left by our online activity and of the amount of information available.
Social networks have made people used to sharing selfies, screen shots and a whole host of information that could be used by hackers. Everything isn’t necessarily worth sharing.
An example? In 2020, the Dutch Minister of Defense shared a picture on Twitter that displayed the zoom code to the conference she was on. This allowed a journalist to log onto the normally confidential call. This might’ve been harmless, but it highlights how sharing can be dangerous.
Awareness isn’t going to be enough to effectively protect your teams against the spear-phishing attacks hackers use.
It’s important to incorporate OSINT in phishing simulations in order to train the teams against the attacks they might face and to help them develop the right analysis reflexes when confronted with the emails they receive.
Phishing simulations will therefore be more effective by training your teams in real-life conditions if they include elements like the tools used by your employees, the names of the customers or suppliers, the members of the C-suite, the electronic signatures of the company… just like hackers would use these.
OSINT is a very useful tool for hackers who are trying to craft realistic phishing and spear-phishing attacks.
That doesn’t mean that they should be the only ones using it. The creativity of hackers is boundless, but the integration of their techniques based on OSINT as well as the topic itself in cybersecurity awareness and training programs will help protect your teams by making them familiar with these.
Here are 10 must-haves for any training to be effective at lastingly changing users' behavior with regard to phishing attacks.
Some of our best-performing phishing simulation scenarios as observed in campaigns with various companies
What is the right frequency and timing of your phishing simulation campaigns to make them the most effective? Mantra's data team has a look at this issue.