Whenever we have talked about a Cyberattack happening, for a
lack of a better term, had some comfort in the fact knowing that we could
expect a malware, worm, a Trojan Horse of sorts, or even Ransomware.
But given the advances of technology, a Cyberattacker does
not have to do all of this anymore in order to steal PII. He or she can build a profile on you based on
a methodology known as “OSINT”, also known as “Open-Source Intelligence”.
Just as its name implies, this Open-Source data that is
legal to get and use, after all, it’s available on the Internet. It’s really
like getting a background check on somebody, but with that, you have to pay some
sort of fee. OSINT is free, and it can also be viewed as a data
aggregator.
This simply means that it is a one place shop where you can
collect the information that you need that is collected from hundreds of different
sources.
OSINT and be used for both the good and the bad. For example, I did a podcast some time ago
with a client that had an OSINT based business.
The degree to which he was able to use publicly known information
totally blew me away. He narrated this
story of how they were able to solve a hit and run accident, even the police could
not solve it.
If I remember correctly, it all came down to collecting a
small piece of car paint, and matching that up with other cars that passed by, which
were taped by the CCTV cameras. In a
way, this also reminded me of the unfortunate incident of Pan AM Flight 103, a
Boeing 747 that blew up over Lockerbie, Scotland. It all came down to locating a tiny electronic
component which forensics were able to trace back to a store in Libya.
Then, I wrote an article for a client about the OSINT methodology,
and how some of the components of it could be used to hypothetically protect a well-known
movie star. But with the good, comes
also the bad, and this is where ethe Cyberattacker now comes into play.
As mentioned before, they no longer have to access the innards
of your IT and Network infrastructure, and move laterally in order to get information
about you.
All they need are the tools of OSINT, a very close
examination of your social media profiles, and the use of some AI and ML
tools. From here, they can build a whole
new profile about you, even a create a totally different facial structure of
you using Deepfakes (I think I just wrote an article about this a few weeks
ago). But the end result of this totally
scary.
With this newfound profile, a Cyberattacker can now launch
ID Theft attack against, and you may never even know about it.
At least in the past, the Cyberattacker would have to know
some specific information about you, such as your Social Security number, or
Driver’s License number, but even this is not needed anymore. With all of this, a Cyberattacker can easily
open up new bank accounts, credit cards, you name it.
But you are not going to believe this also. There are also tools out there that let the Cyberattacker
create that fictitious profile about you.
This tool is called “Fake Name Generator”, and example of a
fake profile can be seen below:
(SOURCE: https://www.darkreading.com/attacks-breaches/how-hackers-create-fake-personas-for-social-engineering)
Heck you even create a picture of a real person that looks
almost like the real thing by using a tool called “This Person Does Not Exist”.
My Thoughts On This:
Ok, I even find this to be rather extremist, and I have been
in Cybersecurity for years. But keep in
mind, even in the case of digital attacks, the Cyberattacker will always leave
behind some evidence, even to the smallest amount that is possible. In the case of a faked profile like we have
been talking about this blog, look for some of the following clues:
*A person looks head on, directly into the camera lens;
*There will be some nuances in their facial structure;
*Other extraneous accessories can fade in and fade out. For example, if the subject is wearing
earrings, one lobe of the ear may drifting further down than the other ear, although
the earrings may look completely identical;
*The sides of the picture have some strange sidings to them.
What can you do to help avoid in becoming a victim in these
kinds of scams? Well, the first rule is
never to respond to anything that you are suspicious. For example, I get tons of robocalls and
suspicious emails every day. All I do is
never respond to the phone call, or simply delete the email.
But there have been numerous times in the past where I have received
emails which seemed to questionable, but I had some doubts about that as well.
So in these cases, I normally try to find the Linked In profile
of the person in question, and if I can’t, then that is a huge red flag. I try to check out their Social Media profiles,
and if there is nothing there, then I just delete the email. But keep in mind that the Cyberattacker could
quite possibly be ahead of you in this regard, by having a fictitious Linked In
profile and Social Media sites already populated.
Then there are the other rules as well: Check your credit card and bank account
balances at least 3x a day, and always monitor your credit report. If possible, try to have a good friend even
conduct a background check on you to make sure that everything is clean. Finally remember that the Cyberattacker does
not have to use just digital means to get a hold of you.
Attacks using the snail mail have now been on the rise, so
pay careful attention to those as well. In
the end, if you have any doubts that you simply cannot resolve, or if you feel
that you have become, always contact your local FBI office. They will always be glad to help you out, and
they will have the specialized tools needed to examine any evidence that you
give them.
No comments:
Post a Comment