Most organisations now have some form of publicity department, whether they are formulating press releases, engaging with social media or developing content for the corporate website. Their goal is to support the aims of their employer and get their organisation into the public eye. However, they may well be fostering harm to their employers without realising it. Information that they disclose publicly may be invaluable to attackers who are reconnoitring their organisation, trying to locate information that will assist them in launching a successful compromise. In fact, it is sometimes the case that it is the publication of such data that will lead attackers towards targeting the organisation in the first place.
It is not uncommon to find websites where the names of employees are published along with their roles within the organisation and personal biographies. This is often all the information a threat actor needs to craft a convincing phishing email, enticing the recipient to approve a wire transfer or the alteration of bank account details of a client. Powerful psychologies come into play when, say, the assistant to the CFO gets an email apparently from the CFO themselves requesting an urgent wire transfer of funds to pay an overdue account. The assistant has probably earned a reputation for being efficient and expeditious in servicing requests from their boss, they certainly do not want to tarnish that reputation by questioning every request that the boss makes via email. The injudicious publishing of personal details about employees by the publicity department has led to organisation becoming an irresistible target for scammers.
Nettitude’s Incident Response
In recent months, Nettitude’s Incident Response Team have investigated dozens of phishing emails reported to us by our clients. Those attacks have led to hundreds of thousands of dollars being successfully transferred to bank accounts under the control of attackers. Our investigations have identified that it is the publication of company data that has unwittingly facilitated those attacks. Financial institutions are especially at risk as transfer of funds requests are routine, thus a malicious request can easily go un-noticed as it merges with the daily noise of routine business.
There are numerous examples of how seemingly innocent information posted as part of a publicity campaign can be leveraged by threat actors to subvert your organisation’s security:
- A photograph of a company employee behind their desk, published on your company website, or released to the press, may reveal the format and font of internal identity badges. A threat actor can simply copy the badge and use this to breach the organisations security, again psychologies come into play as work identity badges provide a powerful symbol of legitimacy and belonging.
- A post on the company blog announcing a new partnership with a computer security vendor. The post is designed to signal that you value the security of your customer’s data, but in reality it provides threat actors with invaluable knowledge of the security products that you have in place.
- Publishing internal policies on external facing websites to signal that you are responsible organisation with a track record of following best practices and legislation is fraught with risk as attackers learn of your inner workings and procedures. The situation becomes even worse when templates of official forms are published alongside those policies. Such documents can be used by threat actors to provide the appearance of legitimacy to malicious documents sent to the organisation that may have malware attached.
It is, however, important to recognise that publicity plays a crucial role in achieving the aims of any particular organisation, thus simply ceasing all publicity is likely to be counter-productive. In respect of publicity, organisations need to find a balance between publishing information that will further their goals and information that could be maliciously used against them by threat actors. This will require awareness training for staff engaged in publishing any form of organisational publicity or public facing information about their organisation. A basic principle of network security is that security is everyone’s responsibility. To that end, all organisations should be encouraging all staff to be cognisant risks that can arise through the posting of publicity on behalf of their company. Staff should also be encouraged to challenge the publication of material that, although published with good intentions, could result in harm their organisation.
To guard against malicious transfer of fund requests, organisations should have strong internal processes that can detect these attacks. Nettitude recommend that you implement a 2 factor system, ensuring any requests for transfer of funds made by email are verified with a phone call to the person apparently requesting those transfer of funds. Similarly, implement robust controls in respect of requests to amend customer account details; ensure all such requests are verified with a confirmatory phone call and finally limit those with the authority, and ability to complete find transfers to those that have undergone security awareness training which will help users to detect such attacks.
To contact Nettitude's editor, please email firstname.lastname@example.org.