Overexposed and under-prepared; the risks of oversharing online

Zoe S. | 17 November 2016

I have a confession to make.

I know where you live.

I also know who you’re married to and the names of your children. I even know the name of your dog (who, by the way, looks really cute in your profile picture). I was sorry to see that your planning application got turned down, the ground floor extension looked like it would have been a lovely addition to your home in those plans I found. While I have your attention, let me ask how you’ve been getting on with your yoga class? The class you go to at the sports centre looks fun and I’m thinking of joining. It’s quite conveniently located, right next to your kid’s school. Listen, if you fancy a chat one day I can give you a call. I found your phone number in the WHOIS information for your website. Or if you’re busy I can email you? Would you prefer I use your work or personal email? Or I can pop by for a visit? After all, I know where you live.

These are just some examples of the type of information available online for public consumption. And none of it was obtained from a data breach or other such intrusive attack. The information was willingly, voluntarily, and openly posted online on a variety of websites and searchable databases. It is often put there by you. 

Normally when we consider the exposure of sensitive information we think financial records or card payment data. This is certainly of concern, but also of interest is personally identifiable information (PII), sensitive data such as information about family and friends, and also what is considered “soft data” including details, such as hobbies and interests. The information usually accumulates over time, steadily building up a picture of the individual. You may think the exposure of this type of information is inconsequential, unavoidable, or even inevitable. But it can provide a wealth of opportunities to a threat actor.  

Oversharing  

One such opportunity is spear phishing. It is an effective, and thus popular, tactic because the attackers use information relevant to the target to encourage them to open and interact with the malicious email. The more information there is available, the more the attacker has to work with. The email may address you by your full name and discuss a subject of interest to you, such as a holiday destination or a hobby. And although knowing your name and that you’re a tennis fan may not seem particularly dangerous, the repercussions of a CEO or finance officer or system administrator opening said email can be severe. Spear phishing has been associated with numerous cyber attacks in recent history, including attacks against retailers, healthcare, and government departments

Digital Shadows SearchLight™ monitors for an organization’s leaked assets online, including information pertaining to their VIPs. We can conduct focused research on an individual, looking at information that is both intentionally and unintentionally exposed. To achieve this we take an “attacker’s eye view” of the information publicly available, and then identify and assess the potential threats that information could pose to you and your company. This includes identifying the pivot points which connect at least two pieces of information together and attributes the information to the individual. The types of threats we seek to identify can include reputational damage, identify theft, impersonation, or even an attack (of either the cyber or physical variety).

We’re not suggesting you lock yourself away, close all your accounts, and never go online again. But rather to be aware of what you share, because it may just be the opportunity a threat actor is looking for.