CEOs on Facebook easy to dupe, says researcher

Security vendor poses as school chum, gleans data for 'spear phishing' attacks

Corporate executives should think twice about the information they disclose on social networking sites such as Facebook, a Hong Kong-based security company warned Friday after duping gullible CEOs and finance directors into revealing personal details that could be used for so-called spear-phishing attacks.

Network Box, which makes and sells threat prevention appliances, recently conducted an experiment to see how difficult it is to glean important information from business executives.

"We were asked to see if we could gain information about individuals without having a real-life link to them," said Simon Heron, Network Box's managing director, in an e-mail. "We used a fake Web mail account to create a fake Facebook account. With this, we approached individuals who we knew to be in quite senior positions and simply asked to be their friends, explaining that we knew them while at school."

The results would make an identity thief proud. Several of the targets, explained Heron, gladly accepted the request from the bogus "friend," giving Network Box access to their profiles, which in turn could be mined for the kind of personal information necessary to make very targeted phishing e-mails convincing.

"We found personal details, including dates of birth, mobile phone numbers, home addresses, company name and job titles, and even [a] mother's date of birth," said Heron. "If [you] wanted to go spear phishing, knowing your prey has money is key, as well as how to target them. If you know they are a CEO or [finance director], then you know they will be vulnerable about getting complaints about the company. We can then target them to download documents with malicious code embedded or get them to visit an infected site."

Criminals will go to great lengths to obtain the information they need to craft a spear-phishing attack, if only because the targets -- high-profile company executives who have access to a firm's most important secrets or data -- are so lucrative. One of the most egregious examples of spear phishing in the last year was the follow-on spam campaign that cybercrooks launched after looting Monster.com's database, making off with information on 1.3 million people who had posted resumes on the popular job search Web site.

Heron recommended that executives steer clear of all social networking sites, and that companies remind all employees to refrain from posting company information on such places.

"Any con can be a lot more successful if the con artist has personal information about the target," Heron concluded.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?