The high-profile hacks that have plagued media companies in recent months all have one thing in common: They all start with a simple email.
In January, The New York Times admitted the company had fallen victim to a spear-phishing attack, where Chinese hackers sent “e-mails to employees that contain malicious links or attachments.” Since then, the hacks have become a monthly, if not weekly occurrence. Organizations like the AP, The Onion, CBS, and The Guardian have all experienced security breaches in 2013 — mostly hacked social media accounts — all caused by successful phishing scams from the Syrian Electronic Army.
In these scenarios, hackers pick their organization and target individual employees with a convincing, tailored email, often masquerading as an important company document or security update from a social network. Whatever the format, the end game is the same: getting employees to willingly cough up usernames and passwords.
So how does it work? As RSA researcher Christopher Elisan notes on the RSA’s security blog, finding an organization and targeting employees by department isn’t hard at all. In fact, most of the heavy lifting can be done using publicly available contact databases, like Jigsaw, an online business directory of companies and employees that is owned and run by Salesforce.
Jigsaw’s crowdsourced database acts like a massive online Rolodex with over 29 million contacts from over 4 million companies, and Elisan believes it “could prove to be an extremely valuable tool in helping cyber criminals plan more sophisticated email-based attacks.” Using a readily available ruby script that scans Jigsaw’s databases, a hacker can search a company by name and find its “Jigsaw ID,” which is used to target a specific department in that organization. From there you can find information down to the specific employee. In essence, tools like Jigsaw take most of the “hacking” out of the hack, allowing attackers to adopt long-standing marketing tactics, only with far more malicious intent.
Once the target is identified, here’s the information attackers have access to:
Four e-mail addresses based on the four supported formats
Four usernames based on the four supported formats
“Once you have the list, you can use the information in two ways,” Elisan told BuzzFeed. “You can make them the recipients of the email or you can use them as the sender. Almost any malware can spoof an email address so that — whoever the receiver is — they think the message is from a trusted source.”
The end result is little more than a marketing trick, with an email convincing enough to convince even the savviest users to click a desired link. While most attempts are thwarted — by spam filters, skeptical employees, or two-factor authentication — all it takes is one user with the right credentials for attackers to gain access to email, social, and other company accounts.
Thankfully, Jigsaw does let users modify information, meaning theoretically, anyone can delete his profile. However, similar to Wikipedia, your information can be added by anyone at any time.
More than anything else, tools like Jigsaw are a reminder that so many of the dangerous and heavily publicized hacks online aren’t really hacks at all. Social engineering using products like Jigsaw is scarily simple to master — it took me only minutes to find straightforward point-and-click jigsaw spear-fishing tutorials on YouTube. In many of these cases, the line between “hackers” and a good email marketer is thinner than you might imagine. Not only can anyone be hacked, but almost anyone can also become the hacker.
“You could certainly create your own attack company,” Elisan said. “It’s not hard to get ahold of these tools, and you could launch the malware deployment technology in minutes. If you have the motivation and the time, it’s very easy for almost anybody to conduct an attack.”