The News‎ > ‎

Phishing, spear phishing and the bosses.

posted Jun 28, 2012, 11:21 PM by Leigh Williams   [ updated Jun 28, 2012, 11:29 PM ]
Back in the olden days when security wasn't the biggest priority, you will find that your "C-level" guys and mid management most probably had the most access. So, if you managed to get a hold of their account details using whatever means you had at your disposal, you could most probably access most of the systems in the organization.
Smaller companies that aren't that security conscious still do things like this. The MD (or CEO or Big Bauss) wants access to all the systems because, well, he said so and he is the bauss. But all this is slowly starting to change because of a few small little thing called "common sense, segregation of duties and web based reports (and maybe a couple of other things as well)".
So, who has the most access now? Well, that will be your system administrators, the guys on the floors doing the actual work. These guys usually administrate several servers, storage solutions, workstations etc and most likely make use of the same account username and password. So if you want to steal an account, one of these guys are your best bet.
But why is spear phishing so successful then? It is because you usually do not know who these administrators are. They do not make their appearance on websites and they are also usually not "public facing" employees so you won't find them on the company website's list of managers. These guys also (usually) have a lot of common sense and are mindful of emails or phone calls where someone requests sensitive information. They will first do their homework before opening up an unknown email or reply to an email that looks suspicious.
The "C-level" guys on the other hand are easier to target. You can most likely find their name and surname on the company website and do some basic Googlin' to find their Linked In, Twitter and Facebook profiles. A carefully crafted social engineer attack on one of them can prove rather easy and successful, especially if you target the more middle management or junior management employees who have a lot to prove to their big bauss and who like to throw their weight around. A phone call posing as one of the IT guys, mixed with some knowledge about their personal lives (such as knowing if they have a kid or if they recently got married, which you can easily find through the Google machine) can get you what you want.
Targetting the "C-level" employees to get access to an administrator account is a good, solid attack that can prove to be easier than you thought. I am not saying you should now do this because that would be wrong and it is against the law. Rather turn this exercise into something good and target your own organization with permission from the relevant baussses of course. Use this attack to gauge how security conscious your employees and the company's public figures are, and teach them about the dangers of having personal information publically on the internet and about the dangers of phishing and spear phishing, and teach them the importance of security.
Remember, if you get a phone call, SMS or email that looks suspicious, it most probably is. Rather double check the information and make sure you and your comapny (and its employees) are safe.
PS. Bauss = Boss