How Human Hackers Analyze Targets
A human hacker or social engineer will not develop a strategy to attack a target without first taking advantage of freely available information available to the public, also known as OSINT (open source intelligence). This information is most commonly found on the internet through Google, social media platforms, and more.
The reason why a human hacker would want to thoroughly research their target on the web is to gather information about them in order to craft an attack on a specific individual or group, often done by spear-phishing.
What can a human hacker find on the web?
There is a wide range of details a human hacker could find through Google, social media, maps, and much more. Below are just a few examples.
A company’s website
A tremendous amount of information about an organization can usually be found on its company’s website. They will often have quite a bit of content published for PR purposes, however, their website may often also contain nuggets of information that create vulnerabilities for the firm.
The Wayback Machine
If you deleted something from the internet, does it mean it’s gone for good? Not always. The Wayback Machine is a digital archive of the World Wide Web from 1996 to today. So if that information was there, there’s a possibility it could still be retrieved.
PDF documents on Google
PDF documents are often uploaded to the internet, revealing employee IDs, user guides, benefits packages, etc. They can often be found by typing in keywords such as the company name, followed by “PDF.”
Employees’ social media accounts
A picture is worth a thousand words, and in the case of a savvy human hacker, it can be worth a thousand clues. An employee innocently posting a photo with a couple of coworkers could reveal details such as;
The company’s dress code
What the employee badge looks like, which could be fabricated for flash purposes
The computer hardware that is being utilized
The layout of the office building
Sticky notes with revealing information such as login credentials or important notes
While some social media accounts may be set to private, it is possible for a social engineer to create a fake profile that could appear to be legitimate in order to get connected with potential targets.
A great tool to get a 360 view around a company’s office building in order to identify access points for a facility intrusion is Google Earth. A human hacker can locate and identify other businesses in the vicinity that can potentially make deliveries to their target’s office building, and they can piggyback upon those to gain access.
With Google Earth, one can also identify locations and establishments where the target’s employees might be going out during the middle of the workday for coffee or lunch, granting the human hacker an easy way to casually “bump into” these employees.
Awareness is key
With time, social engineering tactics will become more specialized, complex, and undetectable. In order to, at the very least, prevent valuable information from landing in the hands of malicious attackers, businesses must empower their employees through effective security awareness training to critically assess what information they share online regarding themselves and their employer.
About the Counterintelligence Institute
Founded by former CIA senior intelligence officer Peter Warmka, the Counterintelligence Institute’s mission is to assist your corporations, government offices, academic institutions and non-profit organizations in protecting your sensitive information and personal data records against security breach attempts. Our online and onsite training services focus on transforming the human factor from being the weakest link in security to becoming the most effective defensive tool against security threats against your company and personal life.