Hostile Profiling: Who’s Watching Over You? 
9 Jul 2023 | EMEA

Hostile Profiling: Who’s Watching Over You? 

The connected world of the internet provides a plethora of opportunities for criminals to target individuals and businesses.

David Benford, Managing Director of Blackstage Forensics, internationally renowned for his work in ‘open source intelligence’ and an expert on privacy and security vulnerabilities from online data and mobile devices, talks to TAPA EMEA about ‘Stealer Logs’ and the risks to supply chains from online data and devices. In this special report based on this presentation, David highlights the risks and offers some advice on how to reduce your chances of becoming a victim of ‘Hostile Profiling’…  

Most businesses operating within supply chains apply a lot of resources to improving and maintaining their cybersecurity systems to assist with protecting themselves, their clients, and the supply chain itself. They do their best to make any form of cyberattack as difficult as possible. 

The truth is that in most instances the easiest way to target the supply chain is for criminals to focus on, and target, employees, contractors, and trading partners directly through their private lives and social media. This sort of attack may be carried out against senior executives, drivers, technical staff, warehouse staff, security personnel or, in fact, anybody connected to the organisation. 

The types of personal vulnerability can vary and may include a perpetrator discovering a person has online accounts that they would normally wish to keep secret from family and colleagues. The criminals use their knowledge of this as leverage to try and engage the victim as an inside threat, maybe to gain access to goods, information or buildings. Alternatively, they may find information online about their target’s children and where they attend school, for example, again using this knowledge against their target to attempt to engage them as an insider. 

By now, most people are aware of vulnerabilities linked to social media, but many are unaware of the increasing technical abilities of organised crime or how criminals can engage with industry specialists in open source research to encourage them to carry out online profiling on their behalf. There is increasing evidence of this occurring around the world, where criminality who do not possess open source intelligence (OSINT) skills are paying others to assist them. I would argue that the majority of crimes carried out against supply chains will always involve a certain amount of online research beforehand, which could be referred to as digital pretexting. They identify a person’s pattern of life, hoping to either target them for physical attack, cyberattack, or to steal from them, threaten them or try to recruit them as their “person on the inside” to enable access to the target organisation.

Stealer Logs

We are seeing a growth in attacks against individuals by use of a form of malware attack known as “stealers”. In cybersecurity, stealers refer to a type of malware designed to steal sensitive information from a compromised system. It seems that stealers primarily target Windows operating systems. These short-lived, malicious, and intelligent programmes are specifically crafted to gather various forms of valuable data, such as login credentials, financial information, personal documents, cookies, or other sensitive data that can be exploited for malicious purposes. Stealers typically work by employing different techniques to harvest data from a victim’s device. 

Some common methods used by stealers include:

Keyloggers 

These stealers record keystrokes made by the user, capturing usernames, passwords, and other sensitive information entered via the keyboard.

Credential Harvesting 

Stealers target web browsers and email clients to extract login credentials and saved passwords. They may also target other applications that store authentication information.

Form Grabbing

This technique involves capturing data submitted through web forms, including credit card details, addresses, or any other data entered on websites.

Clipboard Theft 

Stealers can monitor the system clipboard and capture any sensitive information copied by the user, such as passwords or credit card numbers.

File Theft

Some stealers search for specific file types, such as documents or databases, and exfiltrate them to the attacker’s server for further analysis or exploitation.

Cookie Theft 

Many stealers find and take cookies, including session cookies. Stolen session cookies can be used to access a user’s accounts without need of any other login credentials, such as passwords or multi-factor authentication.

Once the stealer collects the stolen information, it is often transmitted back to the attacker’s command-and-control server, where they can analyse and misuse the data for various malicious activities, such as identity theft, financial fraud, or unauthorised access.

It is relatively easy, for those in the know, to link data obtained from data breaches to online personal accounts of their target. They may find evidence in a stealer log that a worker has accounts that they would rather remain private, such as access to their profiles on pornography sites or other platforms which may cause them problems if they were made public. The threat of exposing their online activities may offer another modus operandi for engaging them as an inside threat.

I have also seen many examples of evidence within stealer logs of logins stolen from a browser. 

Within these stolen records there are users’ login credentials for normal day-to-day accounts, such as shopping, food delivery, banking, health platforms, social media, and webmail, but within the stolen data there may be logins for sex-related sites. Additionally, there may be saved logins where they have used their work email address, with records showing links to their employer’s HR platform or other areas of corporate access, creating a vulnerability for their employer. 

To protect against stealers and other forms of malware, it is crucial to maintain up-to-date antivirus software, regularly apply security patches and updates, use strong and unique passwords, exercise caution while clicking on suspicious links or downloading files, and employ best practices for online security and privacy. In addition, it is not advisable to save passwords or credit card details within your browser. Instead, consider using a third-party password manager, such as Bit Warden which is preferable to saving passwords to your browser. Do ensure that your password manager is protected by a very strong password or pass-phrase (do not lose this). Also use multi-factor authentication to protect it, preferably by use of an app, such as Authy or OpenOTP.

Social Media

Several years ago, when I spoke at TAPA EMEA’s conference in Dublin, my main focus for supply chain vulnerabilities was around geo-located social media posts made by staff. These included drivers showing where they park at night, or staff in distribution centres showing workplace interiors or where in the building they worked. For either of these, we were easily able to see where they’d been posting from home, creating vulnerabilities for themselves, their families, and for the business. 

Nowadays, social media geo-locations created by apps are a lot vaguer, partly down to GDPR, and also because social media providers have suffered bad publicity from issues such as Cambridge Analytica. However, there are still multiple issues around how staff and contractors can use social media apps. Vulnerabilities include visual content within photographs posted online, along with what they are saying within their posts. Where they are posting online at work, and also when not at work, gives an open door to criminals who are able to analyse their movements, life patterns, and family members. Threats from criminality can come in various forms, such as a criminal making contact with a driver and maybe sending a WhatsApp photograph of their child outside their home or school. This may be enough to force the employee to become an accomplice and engage them as an inside threat. They may use them to gather information, access a property, steal for them, to “lose” some goods from their vehicle, or obtain a door key from them. The options for manipulation are numerous. 

To reduce risk around social media, my advice would always be, other than in work-related platforms such as LinkedIn, to minimise mentions of your workplace within social media posts. Obviously, Linkedin users would do this a lot, but in most cases their family members are not connected to them on Linkedin, and would be more likely to connect with them via Facebook, Instagram or TikTok.

My best advice for those who really enjoy using social media would be this:

Maximise privacy settings

Ensure your posts, photos, and comments can only be seen by your online connections. In the case of Facebook, you should ensure you lock down “reactions” to your posts, as well as locking down your “likes”. Public access to your “likes” list can give away your hometown, interests, children’s school, hairdressers, favourite café or bar, and so on…

Photographs 

Refrain from posting public photos of your home or family members. Even photographs taken from inside your home, where others can see the view through the window, can be used by hostile third parties to locate your home by use of online maps. All that is needed here is time and tenacity.

Home address

Can you find your home address online via search engines, company records, electoral records or other means? Put some time aside to search for data linking to yourself or your family and have a clear understanding of online data that may expose you. Thanks to GDPR, you may be able to get the majority of this data removed, therefore reducing risk for yourself and your company. Alternatively, you could go to a company, such as mine, to carry out a comprehensive digital risk profile for you and assist with data removal and offer you strategies to improve not only your digital security, but also you and your family’s privacy, allowing you to live your digital lives but to stay “under the radar” as much as possible. 

Help at hand…

David Benford will be running an In-person Open Source Intelligence Investigation Training course from 7-10 November 2023 in Lichfield in the United Kingdom. Further information can be found at here. Blackstage also provides bespoke courses where required. 

Related

TAPA EMEA and TT Club launch ‘Young Supply Chain Professional of the Year’ Award 2024
5 Mar 2024 | EMEA

TAPA EMEA and TT Club launch ‘Young Supply Chain Professional of the Year’ Award 2024

Call for Papers for the TAPA EMEA Annual Conference in Amsterdam, June 2024 
2 Feb 2024 | EMEA

Call for Papers for the TAPA EMEA Annual Conference in Amsterdam, June 2024 

PMI Invests in TAPA EMEA Training Across Supply Chain and Manufacturing Facilities  
22 Dec 2023 | EMEA

PMI Invests in TAPA EMEA Training Across Supply Chain and Manufacturing Facilities  

Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You? 
Hostile Profiling: Who’s Watching Over You?