By Peter Warmka, Founder, Counterintelligence Institute
Over the past few years, Cybersecurity professionals have acknowledged the increasing need of security awareness training to combat the growing threat from social engineering. However, while such training today focuses on what an attack may look like as well as how the target should respond, seldom is it discussed how and why particular individuals are selected as targets by professional human hackers. Understanding this methodology will better prepare potential targets from falling victim to more advanced social engineering techniques.
Target Selection
In my previous career with the CIA, and in response to intelligence requirements, I would carefully select my targets based upon their perceived ability to help facilitate the breach of their organization. In many cases, the starting point was acquiring an organizational chart and then speculating on their access based upon their title and position on the chart.
Today’s threat actors, whether intelligence services, industrial competitors, activist groups or organized criminal rings, undertake this same objective while using the best available tools. Their number one resource for the identification of potential targets is the LinkedIn platform. Specific searches of individuals can be conducted by organization, title, geographic location, academic degrees, professional certifications, etc. While general searches may yield thousands of profiles, refined search parameters will identify a manageable pool of attractive candidates.
Target Assessment
As a CIA recruiter, I would have to develop a suitable pretext for contacting a potential target of interest and then spend several hours over multiple lunches or other social engagements to get to know them. This information would help me “assess” whether they were truly viable targets. Did they have access to the intelligence we wanted and what made them tick as a person? What information could I leverage to manipulate them into becoming sources?
Today, professional human hackers do not need to personally expose themselves to obtain such information. Their principal resource for collecting such assessment information are the social media accounts established and maintained by potential targets. A multitude of information is provided within such accounts to include profile background, pictures, posts and interactions with others.
What do such profiles reveal? Let me share four popular platforms and what a hacker can glean regarding a prospective target.
From LinkedIn
- Academic and work experience
- Career aspirations
- Certifications and licenses
- Affiliations with associations
- Volunteer work
- Network of professional contacts
From Facebook
- Hobbies
- Interests
- Favorite sports teams
- Music genre and favorite artists
- Favorite foods and restaurants
- Travel (where, with whom, and future travel plans)
- Social economic status (revealed from pictures)
- Close friends and family members
From Twitter
- Insight into what the target thinks.
- Opinions
- Religion
- Pet peeves
From Instagram
- Pattern of life activity
- Target’s routine
- Where can a human hacker casually bump into the target.
With this assessment information, a professional human hacker develops a personality assessment profile on a target, identifying specific motivations and vulnerabilities.
These motivations and vulnerabilities are then used as a guide to develop specific social engineering ploys, whether they be spear-phishing, smishing, vishing or face-to-face encounters.
Let me give you two examples of how this methodology works.
- An intelligence service is interested in securing proprietary information from U.S. defense contractor, Patriot Technologies. When evaluating prospective insiders at Patriot, they identify CEO Brandon Phillips as a very attractive target. In addition to access to sensitive information on his media devices as well as to the IT network, he has a very revealing social media profile. Of particular interest are his regular posts on Facebook where he uploads photos showing sunrises and sunsets with family and friends aboard his sailboat. He has mentioned several times that one of his life’s dreams would be sailing the Mediterranean.
With his strong motivation identified, the intelligence service decides to send an email appearing to come from Brandon’s local nautical club. It announces an upcoming excursion to the Mediterranean on a first come, first serve, basis. More information and registration information are said to be contained in the attachments. Even though everyone at Patriot Technologies, including the CEO, has had basic phishing training, Brandon never imagines that this email was a phishing attempt. It played to his strong motivation and utilized the influence technique of “scarcity” manipulating him to immediately open the attachments before losing the perceived opportunity. As a result, malware is uploaded into his personal laptop which in turn is also used to gain access to the firm’s network. Success!!
- A criminal group wishes to penetrate financial service provider, Maxwell Wealth Group, to gain access to sensitive information regarding the firm’s high net worth clientele. While identifying over 15 potential insider candidates, the group took special interest in Christine Summers whose updated LinkedIn profile revealed that she recently joined Maxwell as a new receptionist. Professional human hackers find new receptionists as attractive targets as they are frequently isolated from the rest of the workforce and sometimes must make unilateral decisions. Furthermore, it takes time for them to become familiar with all the firm’s policies and procedures.
Christine receives an incoming vishing call from “Doug” posing as Maxwell’s outsourced IT management provider. Doug welcomes Christine to the firm and wants to let her know that if she ever has an IT issue, she should immediately telephone him. In passing, Doug mentions that he reviewed her IT account profile prior to making the call and had noticed several files which were corrupted and not working properly. While not urgent, he stated that it could eventually lead to a crash of her hard drive. Leveraging fear, Christine begins to panic and asks Doug for help. Doug sends to her an email with a link for her to approve his taking over of her account to ostensibly conduct the repair.
While Doug is creating a backdoor into the network for his team to enter later, he keeps Christine on the line and distracted by talking about one of her passions as revealed from her Facebook profile – animal rescues. After 15 minutes, Doug confirms that he is all finished. Christine is so grateful that Doug has saved her from a potential crash of her system not realizing that she has just facilitated what will become a $5 million data breach of Maxwell.
Understanding how professional human hackers select and assess their targets, individuals should have a better appreciation regarding the sensitivity of personal information that they may post to their social media accounts as well as the need for greater privacy settings. Cognizant that human hackers can leverage such information, unsolicited incoming communication incorporating an individual’s motivation or vulnerability should be treated with judiciousness.
About the Author
Peter Warmka is a former Senior Intelligence Officer with the CIA having over 20 years of experience in breaching the security of target organizations overseas. He is the Founder of Orlando, Florida based firm Counterintelligence Institute, LLC and author of the non-fiction book “Confessions of a CIA Spy – The Art of Human Hacking.”
In addition to conducting his signature training program, Mr. Warmka is a frequent conference speaker, guest podcaster, and author of numerous publications on social engineering and the manipulation of insiders.
He received a bachelor’s degree in liberal arts from the University of Wisconsin-Milwaukee and a master’s degree in international business management from Thunderbird School of Global Management. Mr. Warmka is a Certified Fraud Examiner (CFE), a Certified Protection Professional (CPP) and Certified Instructor at CIA University (CIAU).
Peter can be reached online at [email protected], https://www.linkedin.com/in/peterwarmka; and at our company website http://www.counterintelligence-institute.com/