How an exec’s digital life offer clues for hovering hackers

Small pieces of personal life shared publicly on social media can sometimes lead to big breaches, and executives in particular need to be careful about what they post.

Pen testers and ethical hackers told IT Brew that the tiniest bits of online info can lead to system access.

Rachel Tobac, co-founder and CEO of SocialProof Security—whom you might recall from her hacking demo on 60 Minutes—often sees execs leaving a trail of valuable data on Instagram, Twitter, and other social media sites.

Say, an exec posting a LinkedIn photo of a quarterly retreat, with a whiteboard of notes in the background.

From there, Tobac said, a hacker can pretend to be a senior leader in the photo and call an executive assistant (also tagged in the photo), using contact details available on data brokerage sites and spoofing the number so the caller ID matches. A mention of a project name found on the whiteboard can boost trust and lead to transferred documents and credentials.

“Oftentimes, folks believe so many of those pieces to be internal that they automatically assume I’m legitimate and I gain access quickly. It sounds complex but takes me a few hours to set up and complete,” Tobac told IT Brew in an email.

Attackers making executive decisions. More than 40% of IT and security practitioners surveyed said their executives and family members had been attacked by cybercriminals, according to a report released in May from the Ponemon Institute and digital exec-protection service provider BlackCloak. Threats included doxxing, malware infections, personal email attacks, and online impersonation.

A report from Europol showed that fraudsters in 2021 impersonated lawyers and convinced one CFO and real estate developer to transfer €38 million in a matter of days.

Business email compromise, an attack that frequently targets execs and relies on impersonation to convince a target to initiate a transaction, has cost orgs billions. June findings from the FBI revealed a domestic and international exposed dollar loss of over $50 billion from October 2013 to December 2022.

“Between December 2021 and December 2022, there was a 17% increase in identified global exposed losses,” read the announcement.

Cybersecurity firms in 2023 detailed attacks that targeted their own execs. In March, Cloudflare revealed a phony Silicon Valley Bank message that directed their CEO Matthew Prince to “review documents.” A June post from the infosec vendor Dragos revealed extortion attempts to senior leaders and “demonstrated research into family details as they knew names of family members of Dragos executives.”

Damian Archer, VP with the cybersecurity company Trustwave, knows the CEO can’t be completely private: Executives need to publish information about the organization; they need to connect with people, they need to have a more accessible public persona.

“They just don’t set the privacy controls as deeply and as strongly as they should and could,” Archer told IT Brew.

A family fail. Peter Deros, senior director of offensive security at the cybersecurity advisor Coalfire, is often hired to find a company’s weakness and go after the executive, and that might mean looking at the digital trail of their relatives.

“What we find is that, generally, the CEOs themselves are pretty good…really we find lots of avenues of access through their family members. And that’s just the unfortunate reality,” said Deros.

One hack avenue: TikTok.

In one client test this year, Deros and his team spotted a CEO son’s video of his dad’s new Corvette. The Coalfire crew then sent the exec a phishing email claiming that there was a recall of that specific car. The CEO went to the imposter site and entered a username and password—credentials that were reused in the company’s Microsoft 365 applications, said Deros.

Only human. Pretexting, a form of social engineering that allows attackers to gain access to information through deception, has been a common aspect of attacks today. According to a 2023 data breach investigations report from Verizon, 74% of all breaches include the “human element”: human error, human misuse of privileges, humans being socially engineered.

Aside from the tougher ask of telling teens not to post about their parent’s sweet new ride, Deros recommended multi-factor authentication as a way of preventing the risks of digital overexposure.

Chris Pierson, CEO of BlackCloak, also recommends dual-factor on personal email accounts, which are also found online and face targeted phishing or credential-stuffing attacks.

“You really want to reduce your digital exhaust,” said Pierson.

That means sometimes keeping the Corvette in the digital garage.