How Hackers Use Open Source Intelligence to Exploit You

Open Source Intelligence OSINT Cybersecurity

How Hackers Use Open Source Intelligence to Exploit You

If you’re active at all on social media sites, you’ve probably announced a new job, posted vacation photos or checked in to a concert.

And while it may seem harmless because you’re not sharing private information, you should be careful what you post because it could be used against you in a spear phishing attack.

Hackers look for publicly available information to make their phishing attempts more believable, a process known as open source intelligence (OSINT).

Let’s examine OSINT, discuss how attackers use it and what you can do to protect yourself and your organization.

What is OSINT?

OSINT is simply the process of gathering, evaluating and analyzing publicly available information to gain insight.

Publicly available information can be information from:

  • Social media sites
  • Websites
  • Newspapers
  • Books
  • Government records
  • Academic journals

Cybersecurity firms use OSINT to identify potential weaknesses in networks so they can patch them before they are exploited. However, bad actors also use OSINT to learn more about their victims before unleashing phishing attacks.

More specifically, spear phishing attacks target particular individuals or organizations to steal financial data or gain access to a business account.

How do Hackers Use OSINT?

So, what information can be used in a spear phishing attack?

Literally anything, and it’s what makes this type of phishing attack so dangerous.

People often share seemingly innocuous information (such as the number of children they have, where they went to college, their previous employment history and more) on social media without thinking twice.

However, savvy attackers use this information to craft emails that create highly convincing phishing campaigns, often tricking well-meaning employees into sharing financial information or granting account access.

OSINT turns a generic phish into a believable request.

Scammers often target multiple employees in an organization, hoping just one of them falls for the scam. The best way to combat these scams is to implement phishing training and take it seriously.

What Should I Look For?

Aside from the generic phishing cues, like misspelled words and “From” addresses, here are some signs to look out for to determine if you’re the desired target of a spear phishing campaign.

  • Time pressure/secrecy
  • Change of payment details
  • Request to bypass normal process
  • Reply-to email and sender name don’t match

If a request seems out of the blue or could harm you or your organization, verify it through another channel, such as a phone call.

It’s important to use known phone numbers. Don’t call numbers provided in emails, as those could redirect you to the attacker.

How Can I Protect Myself and My Organization?

The good news is there are things you can do to limit the amount of publicly available information.

  1. Regularly check your online presence: Google yourself to see what you find. That old website you made for a college course might have your phone number or address. If you do find sensitive information, reach out to the website owner or individual search engines to request that the information be removed.
  2. Make your social media profiles private: You don’t have to delete your entire social media presence, but it’s recommended to make your accounts private so only the people you trust can see what you post. Even LinkedIn, a business-focused social media site, offers privacy settings that hide your profile unless you are connected.
  3. Regularly check security settings: Social media vendors are always changing the look and feel of their sites. Even if the frontend design doesn’t change, sometimes they add or update security settings and where to find them. Checking these settings regularly will ensure no information is public.

Learn How to Spot Scams

Scammers often target multiple employees in an organization, hoping just one of them falls for the scam. The best way to combat these scams is to implement phishing training and take it seriously.

Contact us to schedule a consultation. Our phishing training turns your employees into a first line of defense before that click costs you everything.

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.

Share this post