In response to questions I heard this weekend from friends of mine about the ‘big picture’ relevance of the 1.5 million Facebook accounts compromised, I referred back to last month’s FBI speech from Dep. Asst. Dir. Chabinsky:
“Don't be surprised if a criminal compromises your or one of your colleague's personal social networking accounts to retrieve the e-mail addresses of some of your friends, and then uses that information to spoof an e-mail to you or your colleague at work. Other criminals use publicly available information from a company’s website to target employees up to the CEO, whose titles, e-mail addresses, and major areas of interest are typically available on the website.”
Of course this is used directly for determining high value targets in a spear phishing campaign:
…These criminals, especially those who can properly write and speak English, can cheat people out of a lot of money by creating and deploying social engineering schemes for themselves or for other criminals who need a convincing malware infection vector. With specialization, fraudsters no longer have to mass-deploy their schemes, but can instead focus on spear phishing specific high-level targets with administrator level or payroll system access. They will often use research or multiple step compromises to ensure that the receiver will believe the e-mail is legitimate.
Maybe the FBI really knows what’s up. The guys and girls down here in San Diego’s office I’ve met seem to have a serious clue on what it takes to kick cybercriminals in the teeth. They can’t do it without our help though, even if it’s just through a grassroots effort.
Securing Our eCity Contributing Writer
Author ESET Research, ESET