For Cyber Security Awareness Month 2022, Gieorgi Zakurdaev shares his experience with Open-Source Intelligence (OSINT) tools, particularly when it comes to their power of scraping the Internet for publicly shared data, and emphasize the importance of protecting your social media profiles & securing your PII to minimize the risk of tailored social engineering attacks, such as spear phishing.
As technology continues to rapidly integrate itself into our lives, we inevitably become aware of the innumerable cyber risks that it imposes on ourselves and on our entourage. On the news, we consistently hear of events surrounding public figures and celebrities, whose privacy had been compromised and whose personal information was ultimately used with malicious intent in the cyber space. As a result, we strive to learn from their mistakes: we try to protect ourselves by creating strong passwords for our Internet accounts, by adding Multi-Factor Authentication (MFA) to our login procedures and by resorting to trustworthy means of sharing our data. Although such initiatives are excellent ways to exercise cybersecurity best-practices, we continue to deal with suspicious emails, scammer-generated text messages, and other endless strategies that adversaries employ in hopes of catching us off-guard and take advantage of our oversights.
Effectively, one question immediately arises as a result — how do cyber criminals continue to successfully deceive us, despite the precautionary measures that we take to protect our identity and personal information in the cyber space? While it is difficult to provide a definitive answer to this issue, improving our online security habits is a simple way to reduce the likelihood of becoming targets of tailored social engineering attacks.
Cyber criminals often leverage tactics that are similar to the techniques used in personalized web advertisement. After obtaining a simple piece of your Personally Identifiable Information (PII), such as your name, they use various tools and algorithms to scrape the Internet for additional sources of data, associating your identity to other pieces of your publicly exposed information. Through openly accessible social media, adversaries can easily gather your email, your phone number, your goals and interests, or your place of employment. Additionally, they also analyze your behaviour on the web, such as your frequently visited websites or your viewing history, using data-collection mechanisms, or simply by stealing or purchasing your data from other entities. Ultimately, by assembling pieces of your information scattered over the Internet, cyber-criminals are able to construct a rich profile for your identity, thus enabling them to use it as a target for tailored social engineering attacks, which are extremely deceiving due to their realistic nature.
Adversaries commonly employ Open-Source Intelligence (OSINT) tools in the information-gathering stages of their attacks. These allow them to scrape social media platforms, websites, and other public spaces quickly and efficiently for visibly exposed PII. In fact, a variety of OSINT tools are widely available online (8 Best OSINT Tools in 2022): some require paid subscriptions, while others are open source and command-line based.
Throughout my personal journey in cybersecurity research, I decided to run an OSINT investigation on myself by following a simple tutorial by Null Byte. Convinced that, for many years, I exercised strong cybersecurity best-practices, in terms of exposing my information on the Internet, I was shocked by the results of my experiment. Simply entering my phone number in the command-line tool yielded an exhaustive scrape of innumerable media platforms, discovering my gender, my previous address, my employer, and my email address — all of which were primarily collected from sources such as Whitepages, Instagram, Facebook, and LinkedIn. Intrigued, I dedicated some time to identify the causes of my demise. Shortly, I discovered that my LinkedIn profile exposed my email address and my employer, my Facebook and Instagram accounts openly declared my gender, while my previous address was associated with my phone number on Whitepages. Over the next few days, I ensured to configure the privacy and information sharing settings on my social media accounts with superior care. After running the OSINT investigation once more afterwards, I found that most of my PII was no longer discoverable, while other minor details, such as my gender, remained in the output of the search query.
In essence, my experience allowed me to identify several takeaways from this experiment, which, in my opinion, are critical to most Internet users aiming to protect their PII online:
- Ensure that your social media profiles are strictly exposing information that you are comfortable sharing publicly and restrict access to data that you intend to keep private.
- Review the privacy settings of your existent accounts and protect key information pieces that may be associated with your identity (i.e., phone number, email, etc.).
- Remember that once your PII is openly exposed on the Internet, it may no longer be recuperable: adjust your accounts’ privacy settings immediately upon creation, rather than at a later time.
- Beware of data collection measures of applications, websites, and other platforms: review the terms and conditions carefully before accepting them and avoid suspicious or untrustworthy sources.
- Proactively evaluate your Internet cybersecurity posture: consistently review the settings of your online accounts and assess the exposure of your publicly available data and information.
The cost of exercising care and cyber awareness on the Internet is far less straining on our time and effort than the one resulting from the disastrous consequences of our oversights. While, nowadays, we often lose track of the innumerable places where our PII can be exposed, it is not only critical to reduce our existing vulnerabilities on the web, but it is also important to approach our future online experiences with thorough precautionary measures. Inconsiderably exposing our PII to the public can easily affect our interpretation of tailored social engineering attacks and yield dire effects, while we continue to dismiss adequate preventive actions.