How is the data collected? First of all, they are obtained from open sources, starting with the list of employees on the company's website. Social networks bring a lot of information: based on the connections between employee accounts on LinkedIn, you can easily recreate the internal organizational structure, understand who reports to whom.
The next level is various types of attacks such as Business E-mail Compromise. An interesting example of an attack begins with a real post by an employee on social media that he is on vacation. Further, the attackers on his behalf contact the accounting department and ask to change the bank details for the transfer of salaries. The inability to contact by phone to confirm the request is due to the stay in another country.
Attacks using corporate information leaked into the Network are located at a higher level in complexity. For example, internal company documents may be publicly available in the cloud. Even if they alone do not allow funds to be stolen, the information can be used for social engineering.
The most unusual example of a "mail" attack in the review is the use of a tracking pixel. It works like this: an employee of a company from top management receives seemingly meaningless emails, sometimes disguised as test mailings. It scans and deletes them, but the tracking image inserted into the body of the letter transmits to the attackers a lot of data: the IP from which the connection is made, as well as the approximate hours of work of the employee. Using this data, you can improve the accuracy of fraudulent messages that require "urgent contact with an external consultant" or "immediately transfer funds to a specified bank account."
Phishing in the bulletin is divided into two categories: regular phishing and telephone phishing. With the usual, everything is clear, an example is given above. In such messages, as a rule, the user is asked to follow the link and enter the password from the corporate service. An example of voice phishing: we send an e-mail to an employee with a message allegedly about blocking an account. After a while, a phone call comes in, allegedly from a technical support employee on the same topic. An attack on the social network Twitter in the summer of 2020, when attackers gained access to the internal admin console, is cited as a successful example of mimicry for support .
The final part of the review describes completely non-standard types of corporate doxing. For example, hacking an account on the social network of a specific employee, without attacks on the corporate infrastructure. If the employee is a high-ranking employee, statements on his behalf in a private account can affect the company's stock price and bring profit to the attackers. Finally, the future of corporate fraud is the synthesis of the voice of the company's top managers to steal funds, damage reputation, and more. Single successful attacks were developed on the Clubhouse social network, where fake voice broadcasts on behalf of famous people were repeatedly noticed.
What else happened
The vulnerability in Microsoft Exchange is being closed at an incredibly fast pace. A March 22 Microsoft report claims that 92% of vulnerable mail servers have already been patched. This is very fast compared to the speed of closing any other vulnerability, but not enough if you keep in mind the peculiarities of the hole, which gives full control over the server. Of the strange attacks on servers that have not been updated, or have updated, but did not close the existing backdoor, last week there was a hacking of servers, allegedly on behalf of the journalist Brian Krebs.
The iOS, iPadOS and watchOS update released on March 26 closes an actively exploited vulnerability in the WebKit engine that allows XSS attacks.
CitizenLab's analysis of the source code of the TikTok app did not reveal any privacy breaches. A caveat is required here: the experts did not find functions outside of the typical for this kind of development, but a lot of user data is still collected for advertising purposes.
The ZDNet edition writes about a real attack like BadUSB. A hospitality company received a USB flash drive in the mail, supposedly a free bonus from a major retail chain. In fact, the flash drive emulated a keyboard, which made it possible to download and install malicious code.