A newly developed tool highlights how information we share online can be used in cyber-attacks against us.
We all share too much online and now that information we put into the digital ether on Twitter, Facebook and LinkedIn could be used against you in more convincing and targeted phishing attacks by cyber-criminals
Phishing emails have beomce much more sohpisticated in recent years, looking like they come from someone you know and contain informaiton about something you are working on. They still of course contain malware, or links to compromised websites.
To show just how much of a digital breadcrumb trail people leave online, ethical hackers from SpiderLabs, the penetration testing division of Trustwave, have created a tool called MicroPhisher which aims to automatically trawl social networks and other publically available information about a target in order to accurately impersonate the way they talk and communicate.
MicroPhiosher was created by Ulisses Albuquerque and his and his colleague Joaquim Espinhara as a way to allow those testing systems for weaknesses to get closer to what real phishing emails may look like:
"We started this as an effort to help us during pen test engagements with customers when we couldn't get access to systems through traditional means," Albuquerque told IBTimes UK week from Las Vegas where he and Espinhara unveiled their research at the annual Black Hat hacker conference.
When attacking large corporations, Albuquerque says cyber-criminals will send emails to a large group of people which purport to come people from various backgrounds, ethnicities and cultures, so creating phishing emails which will seem genuine and real to all of them is virtually impossible.
"We wanted a way of helping the pen tester of producing messages which look close enough to what legitimate users of the system would see. We tackled that by making use of the huge amounts of data that is already publically available on social networks."
While the tool is designed to be used by those carried out penetration testing on their own systems, or by companies like SpiderLabs who carry out such testing on behave of large companies, it could also be used by cyber-criminals to create better phishing emails.
However, the creators believe the biggest benefit is for those trying to protect against phishing emails:
"Pen testers try to emulate the behaviour of [cyber-criminals] so anything that helps a pen tester could potentially be used by a real attacker. But the point is, if we don't try to provide the security community with tools like [MicroPhisher] then maybe the actual attackers will have the tools and we won't even know that."
Albuquerque however admits that the approach taken by him and Espinhara is the most likely approach which cyber-criminals sending phishing emails are taking.
The main innovation the MicroPhisher tool brings to the table, Albuquerque says, is its ability to bring everything together, which he likens to the techniques social media sites use to serve targeted adverts at their users.
Speaking about the pervasive nature of social media and the amount of information we simply 'put out there' for everyone to see, Albuquerque said:
"People tend to be very casual about the things they put on social networks, especially with everyone today having a smartphone."
While the proliferation and ubiquity of smartphones means more and more information about your life is shared online, it also leads to a unique problem for those seeking to target you with phishing attacks - text speak.
"A lot of people, especially younger people will tend to cut out letters, vowels, use shorter versions of words and a lot of times natural language perception engines which we use in order to index those words, they will not really be able to infer what this person was saying."
However the MicroPhisher tool is sophisticated enough to filter out certain content so the end result is as representative as the content you are trying to replicate.
Only getting worse
The worrying thing for Albuquerque is that things are not going to get much better any time soon:
"My personal perspective on this is that we are a lot less careful than we should be. We usually tend to be careful when we are sitting at our desks in front of a computer, because these computers are managed by corporations and have security processes in place. But you use social networks everywhere when you are using it from a smartphone so I think it will get worse before it starts to get better."