I took a Cyber Security course this Spring which included an assignment to design a Spear Phishing attack against key officials for a Nasdaq company. I chose a North Carolina manufacturer with about $125 million in annual sales. Facebook wound up being my top resource.
Although the CEO had considerable Security on his page, by the time I was done I had his photo, his wife's, his sister's, his kids', their home location and several photos of it (see below), its value, his income, his net worth, tax records, the office location, his home and work phone numbers, his e-mail address, the names and addresses of his High School buddies, his interests (baseball, fishing and Christianity), vacation photos (Atlanta Braves baseball camp!), and a lot more.
I wound up designing an attack based on an "In Memorium" guest book that the CEO's wife had signed. She'd written ""Ron, Brenda, Tina and Chris, Sidney and I are so sorry for your loss. We have a lot of fond memories of Shane chatting with him at the ball fields. We love you and will keep you in our prayers. Sidney and Amy Xxxxxx" - amy Xxxxxx (raleigh, NC)
BTW, in an ironic display of particularly bad taste, the guest book NOW says "The entry for Shane Yyyyy has expired." LOL! I think they could have phrased that a little more diplomatically, don't you?
Waaaaay too much information there for the wife of a very wealthy CEO to be doling out.
In my hypothetical attack, a spear phisher creates a yahoo account with the name of Shane's wife. "She" sends Amy an e-mail announcing a memorial softball game being held for Shane in Atlanta now that he's been gone for just over one year. She steers him to a website and signs off with a guilt trip. “Shane would have wanted you to come.” And “We love you guys.”
Of course, the attack was really about bilking money out of the family. It wouldn't have been too difficult, given that the CEO was close friends with the dead guy.
My instructor, by the way, said that he had no doubt that my attack would have worked. And... that there are special places in Hell reserved for anyone who would design an attack based on someone's dead friend! *grin*
The main lesson I learned? It doesn't really matter if you have your Facebook information protected if your friends don't have THEIR security set just as tight. I wasn't able to get much from the CEO or hs wife. But his sister's and, ultimately, his kids' pages gave me a TON of personal material about the family.
One of my instructor's other comments about my presentation was that if the CEO and his wife knew how much information I had obtained about their family, they would feel "incredibly violated."
Yup. No doubt about that.
The younger daughter and her friend: 
His sister, her husband, and an older woman: 
These pics are available in higher quality on Facebook. I'm not going to post them, though.
Here's the CEO's 6,986 sqft house in a suburb outside of Raleigh:
Gold is $1,581/oz today. When it hits $2,000, it will be up 26.5%. Let's see how long that takes. - De 3/11/2013 - ANSWER: 7 Years, 5 Months
| 