Doxing an individual can be a time-consuming and ultimately fruitless process, but the potential payout for doxing corporate employees can be huge, making them a much more tempting target.
Doxing is the act of harvesting confidential information about someone in order to inflict harm or gain some benefit using that info. Traditionally thought to be a risk for individuals, Kaspersky reports that it's increasingly being used to target corporate employees: 1,646 unique instances of one particular type of attack were detected by Kaspersky in February 2021, alone.
The doxing of individuals can be time-consuming and costly, and can result in little net gain for an attacker looking to financially capitalize. "However, when doxing is aimed at the corporate sector, cybercriminals are less hindered by the cost of an attack because the potential monetary rewards are much larger," Kaspersky said, noting that corporate doxers are turning to the same tactics as those used by advanced persistent threat groups like The Lazarus Group and other nation-state-sponsored hacking collectives.
SEE: Identity theft protection policy (TechRepublic Premium)
Cybercriminals are using a variety of methods to harvest data and turn it against corporations in order to reroute bank transfers, steal paychecks, and perform other nefarious actions. None of them are new, unique or surprising, but they are tricky and can be hard to defend against.
Data harvested from public sources
"The internet can provide doxers with all kinds of helpful information, such as the names and positions of employees, including those who occupy key positions in the company," Kaspersky said.
One popular use for the data gleaned from public sources is business email compromise attacks, in which an attacker corresponds with someone in a target company using a spoofed email address: It's this form of attack that Kaspersky detected more than 1,500 unique cases of in February 2021.
BEC attacks can leverage public info to redirect payments by spoofing the address of someone who is on vacation and otherwise unreachable, or can use personal details to make a BEC message appear more legitimate. BEC attacks are also frequently used to gain additional information by asking for confidential documents, access to databases and the like.
Previously leaked data
Data breaches are a regular occurrence in this day and age, and even seemingly innocuous data can later be used to attack companies later on. It's also possible for employee carelessness to result in data being leaked—anything that ends up in the public domain can be used to help criminals fill out their dossier on a target.
Tracking pixels hidden in emails
Another common trick Kaspersky mentioned is the use of tracking pixels, small 1x1 images that appear invisible to an email recipient, but which are filled with HTML code that transmits data such as mail client type, IP address, read time, and other potentially useful info to an attacker.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Kaspersky notes that tracking pixel attacks have been previously used to learn the work schedule of targets in order to maximize the chances that emails are opened or to find the perfect window to attempt a scam.
Phishing and vishing
Email and phone phishing continue to be popular methods of hijacking accounts in order to give attackers a foothold from which they can steal additional information and launch more complicated doxing attacks. Twitter was famously attacked in this way, leading to the hijacking of several high-profile accounts that enabled them to make off with more than $110,000 in Bitcoin.
Protecting your organization from doxing attacks
"The doxing of organizations, just as of people, may result in financial and reputational losses, and the more sensitive the confidential information extracted is, the higher the harm. At the same time, doxing is one of the threats that could be prevented or at least significantly minimized with strong security procedures within an organization," said Kaspersky security researcher Roman Dedenok.
The procedures that Kaspersky recommends include:
- Establishing rules prohibiting employees from discussing work-related issues in messaging apps other than official company platforms.
- Raise employee awareness of potential threats, which Kaspersky said is the only effective way to counter social engineering techniques.
- Train employees to double-check information requests that come via email with a phone call or message sent from another platform to the sender, especially if it's an abnormal one.
- Make sure anti-spam and anti-phishing solutions are in use and kept up-to-date against the latest threats.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)