Attackers mine the posts on Twitter, Facebook, Instagram, Foursquare, and other online properties to find information that people provide about themselves, but also to mimic people's writing style, such as frequently used words, said Trustwave researchers Joaquim Espinhara and Ulisses Albuquerque during their presentation on Thursday. All this information is used to craft a message that actually sounds like someone the victim would know.
Many attack emails are actually recognizable as malicious precisely because they don't sound like something a real person the victim knows would say. But if attackers can refine the tone of the message, then they are likely to trap that victim, Espinhara and Alburquerque said.
Microphisher
To prove their point, Trustwave researchers released a new tool at the conference which analyzes public posts and creates a "fingerprint" for each person's communication style. Microphisher uses natural language processing to analyze public posts on social networks and other online sites. Even how you use hashtags on Twitter, how long your typical sentence is, and topics you generally write about, can all be used towards determining your fingerprint, Alburquerque said.
Microphisher is intended to help organizations improve their IT security, Alburquerque said. Trustwave SpiderLabs frequently put together penetration tests and other social engieering tests to determine how effective an organization is in thwarting spear phishing. Microphisher can be used to craft messages that are similar in style and content to what a specific individual would write. With a more natural sounding and topical message, Trustwave could test the organization's security readiness much more effectively, Alburquerque said.
Imagine if attackers analyze the contents of a CEO's Twitter feed with Microphisher. They can then craft a message that mimics his or her style and send it to other employees, who would likely click on a link in the email or open the attachment because it would sound like something the CEO would normally write, they said.
The reverse is also possible, where the tool can be used to figure out which posts were legitimately written by someone and which one was faked. "The same tricks can be used to evaluate whether emails are realistic, if you know the sender's Twitter account," Alburquerque said.
Microphisher relies on statistical analysis to determine how close a message being written is to an email profile, so cannot be used to automatically generate believable phishing messages.
Stay Safe
As always, people should not click on random, unknown links or open attachments, regardless of the source. It doesn't matter if you know who the person sending the information is—since it is increasingly clear that there is plenty of information available online to create convincing fakes.
No comments:
Post a Comment