Sunday 24 November 2013

Phishers and firms both proving adept at online stalking

Security padlock image 
SAN FRANCISCO: For the past few years now we've had a steady influx of reports from the security community, warning us that cyber criminals are learning and emulating legitimate companies' strategies.
In the past this has been limited to actual businesses models, with criminal groups setting up cyber black markets and advertising networks that, apart from the illegal wares they sell, operate the same way as entirely legitimate ones.
However, having spent the week in San Francisco covering Salesforce's Dreamforce 2013 event, we've noticed a number of other interesting similarities between the two groups' attitudes towards customer data.
It's no secret; web user data is the new oil. Every drop of it is potentially worth a lot of money, especially if it comes from a business account. This is why every year we hear stories about criminal groups targeting executives in specific companies with sophisticated spy campaigns. These campaigns see the criminal find a soft target within a business they're interested in and then expertly stalk them online. The campaigns see the criminal follow the victim's activity on social media sites and the like, to get a better idea of what makes them tick.
This research is potentially usable in a variety of ways, though its most common application is in phishing scams. This is because the data can be used to alter the hook of a phishing message and make it look more legitimate. For example, if you see on Twitter the CTO of the company you want to hack is currently attending Dreamforce, include a sentence in the phishing message saying "great to meet you at the conference" or if you see he's just ordered a set of golf clubs, send a fake delivery notification. The strategy is fairly simple.
What's interesting is – having spoken to a number of Salesforce customers – we've found most marketing and sales departments follow exactly the same strategy when creating pitches. Speaking to Carlos Zamora, the vice president of BT Conferencing in North America, this phenomenon was drilled home to us when he explained the company's research process leading up to a pitch.
"As we look at how an opportunity is being progressed, we have a number of teams [to] work through a process. This begins with questions like 'Can we win?' 'Is it the type we want?' 'Is our solution the best?' and 'What extras would we need to provide?' Then we map it from the point of contact and find who the decision makers are," he said.
"When you identify your relationship map and plot the influencers, sponsors and contractors involved, you then have to find the best way to engage with those individuals. Nowadays this is done in a variety of ways including social media – what they like, what they do, how they think."
Sounds familiar, right?
To me, this isn't that scary, just good sense. After all, getting information on somebody you're trying to influence is, at the end of the day, common sense. It is, however, a stark reminder of quite how much of our privacy we give away using services such as Facebook and Twitter and the ever-important truth; free services aren't really free and shared information can be used against us.
Let's just hope criminals don't get quite so good at collecting and using it as Salesforce, which just posted its first $1bn quarter.

No comments:

Post a Comment