Everything we do online leaves a footprint: this is equally true for companies, which aren’t necessarily aware of the information available online about them and the digital traces left by their employees.

The issue? That information can be collected using OSINT methods (an intelligence gathering technique that uses public sources of information) and used for malicious purposes.

What is OSINT? What information can be collected and how can hackers exploit them for phishing and spear-phishing attacks?

What is OSINT?

OSINT is a way to find publicly available information - especially online

What we call “Open Source INTelligence” (OSINT) comes from the intelligence sector. The idea? To find publicly available information (in particular online) on a target, to compare and recoup and to transform this into strategically actionable intelligence.

How can this information collection process be conducted? By using search engines (Google obviously, but not only since there are also search engines specifically for OSINT), online maps, the metadata of pictures… etc.

After being used in the intelligence industry, this technique can be used in the corporate sector for different purposes: competitive intelligence, economic oversight, online reputation tracking, cybersecurity… But even though OSINT is legal, it can be used for malicious purpoes.

What information can be found using OSINT?

Different channels can be used to find information related to a company and its employees: the company’s official communications of course (through its website), which is freely accessible online, satellite imagery( dated and available on Google Earth archives), social media (posts, pictures, videos, comments…), online forums…

In short, OSINT can reveal a wealth of information about a given company. Some of that can then be used for phishing attacks:

Personal

• The names and adresses of employees
• Personal information available on social networks : holidays, purchases, pets… that can be used to personalize targeted attacks

Professional

• The email addresses, electronic signatures, job descriptions (via LinkedIn for example)
• The name of C-level managers (the name of the CEO, CFO our Head of HR fro example) can be very useful in opening doors for hackers
• The names and contacts of certain clients, suppliers or contractors.
• Personal or financial information that shouldn’t be public but are unfortunately available (through a page that hasn’t been de-listed, or a database that is accessible for example)

Technical

• The tools and software used by the employees (professional mailbox, collaborative suite, HR tool, payroll software, CRM… etc.)

If some cybersecurity professionals use this information to educate a company and highlight some of its weaknesses (to allow the IT teams to correct them), they also represent a treasure trove for hackers who are preparing phishing campaigns.

OSINT + phishing : the winning recipe for hackers

Hackers use OSINT to gather relevant information the companies they target and therefore better prepare their phishing attacks.

It’s an essential tool of the reconnaissance phase that precedes a cyberattack.

How do hackers use OSINT?

Google is of course an essential tool for OSINT, but hackers don’t limit themselves to a basic use of the search engine. They’ll use “Google Dorks” searches that include advanced research features in order to find information that a “basic” research would not have found, and that companies might not be aware is publicly available.

Hackers also use specifically designed software or search engines to scan the web or social networks. Some of these tools might be publicly available, but others have to be bought and require technical skills to use. Their common feature is that they allow someone to aggregate a large amount of information and to recoup them (for example, with Searx or Kali Tools).

Preparing increasingly personalized, targeted and realistic phishing attacks

Mass phishing (sending the same phishing email at the same time to a company’s employees) is still a technique hackers use. But this is increasingly giving way to more targeted attacks. Spear-phishing, as they are called, targets specific employees based on their departments and/or jobs in a company with personalized attacks.

Better targeted, these attacks are more realistic. An email that seems to be from the CEO (the famous “CEO fraud email”), a colleague, a supplier or a customer is always more realistic and seems more genuine… even though it might be safe. These targeted and personalized attacks, better prepared, are therefore more dangerous.

Hacker groups like Exotic Lily (an Initial Access Broker) use OSINT to manually personalize their spear-phishing attacks, for example by creating fake companies and using reasons that are specific to their targets to communicate.

Another example is the Cobalt Dickens group (an Iran-affiliated actor) who conducted spear-phishing attacks against universities in the UK. These relied on extensive research on the teams, research topics, organisational structures of the targeted researchers in order to allow the group to contact them with tailored messages.

Some example of how OSINT could be used for phishing attempts

What can a phishing email that relies on OSINT look like? Here are three examples to illustrate (there are, of course, many more):

• An email that seems to be from a close colleague, with the link to a shared document hosted on the cloud and asking for modifications. To be more persuasive? The email is using the same color scheme and visuals as that of the filesharing platform used by the company (Microsoft OneDrive for example)
• An email sent to a few members of the HR team asking them to click on a link update the HR software used by the company. The email looks just like the ones that genuinely come from that software.
• A personalized email telling an employee he’s received a document to sign. For increased realism, this email has the tool’s color scheme, and seems to come from the CFO or CEO

How can OSINT be integrated in a cybersecurity awareness and training program?

Better equip and teach employees

OSINT as a technique might be increasingly mentioned, it’s still something that many people ignore. Integrating OSINT to teach employees about cybersecurity requires, first, becoming aware of the footsteps left by our online activity and of the amount of information available.

Social networks have made people used to sharing selfies, screen shots and a whole host of information that could be used by hackers. Everything isn’t necessarily worth sharing.

An example? In 2020, the Dutch Minister of Defense shared a picture on Twitter that displayed the zoom code to the conference she was on. This allowed a journalist to log onto the normally confidential call. This might’ve been harmless, but it highlights how sharing can be dangerous.

Create the right reflexes by integrating OSINT in your phishing simulations

Awareness isn’t going to be enough to effectively protect your teams against the spear-phishing attacks hackers use.

It’s important to incorporate OSINT in phishing simulations in order to train the teams against the attacks they might face and to help them develop the right analysis reflexes when confronted with the emails they receive.

Phishing simulations will therefore be more effective by training your teams in real-life conditions if they include elements like the tools used by your employees, the names of the customers or suppliers, the members of the C-suite, the electronic signatures of the company… just like hackers would use these.

‍

‍

OSINT is a very useful tool for hackers who are trying to craft realistic phishing and spear-phishing attacks.

That doesn’t mean that they should be the only ones using it. The creativity of hackers is boundless, but the integration of their techniques based on OSINT as well as the topic itself in cybersecurity awareness and training programs will help protect your teams by making them familiar with these.

‍