In the world of cybersecurity, there has been a growing recognition of the need for security awareness training to combat the increasing threat of social engineering. However, while this training often focuses on the tactics and responses to attacks, little attention is given to why and how certain individuals are chosen as targets by professional human hackers. Understanding the methodology behind target selection can better prepare potential victims to defend against advanced social engineering techniques.
During his time working for the CIA, Peter Warmka, the founder of the Counterintelligence Institute, would carefully select his targets based on their perceived ability to facilitate the breach of their organization. He would start by acquiring an organizational chart and speculating on their level of access based on their title and position. Today, threat actors, whether they be intelligence services, industrial competitors, activist groups, or criminal rings, use similar tactics and often turn to LinkedIn for identifying potential targets.
With LinkedIn’s specific search capabilities, hackers can narrow down their pool of targets based on organization, title, location, academic background, professional certifications, and more. This allows them to identify a manageable group of attractive candidates for their attacks.
Once potential targets are identified, the next step is the assessment process. In Warmka’s previous role as a CIA recruiter, this involved developing a pretext to contact the target and spending multiple hours getting to know them during lunches or social engagements. This information would help assess whether they were viable targets and what leverage or manipulation could be used to turn them into sources.
Today, professional human hackers no longer need to personally engage with their targets to gather assessment information. Instead, they turn to the social media accounts of potential victims. Platforms like Facebook, Twitter, and Instagram provide a wealth of information, including hobbies, interests, favorite sports teams, music preferences, travel plans, social economic status, and even the target’s routine.
With this information, hackers can develop a personality profile of the target, identifying specific motivations and vulnerabilities. This profile then guides the development of social engineering tactics, ranging from spear-phishing emails and vishing calls to face-to-face encounters. Hackers leverage the target’s motivations and vulnerabilities to manipulate them into falling for their schemes.
Warmka provides two examples to illustrate how this methodology works. In one case, an intelligence service targets the CEO of a defense contractor who frequently posts pictures of himself sailing on Facebook. The service sends an email appearing to come from the CEO’s nautical club, announcing an opportunity for a Mediterranean excursion. The email includes attachments with malware that infects the CEO’s personal laptop and provides access to the company’s network.
In another example, a criminal group targets a financial service provider and identifies a new receptionist as a vulnerable insider. They call the receptionist, posing as the company’s IT management provider, and inform her of corrupted files in her IT account. Leveraging fear, they convince her to approve their takeover of her account, which in fact creates a backdoor into the company’s network. The distraction tactic used during the call is based on information from the receptionist’s Facebook profile, where her passion for animal rescues is revealed.
Understanding how professional human hackers select and assess their targets is crucial for individuals to protect themselves. It highlights the importance of being cautious about the personal information shared on social media platforms and the need for stricter privacy settings. Unsolicited incoming communication that exploits an individual’s vulnerabilities or motivations should be treated with caution and skepticism.
Peter Warmka, the author of “Confessions of a CIA Spy – The Art of Human Hacking,” has a wealth of experience in breaching the security of target organizations overseas. He is the founder of the Counterintelligence Institute, which offers training programs and resources on social engineering and insider manipulation. As a certified fraud examiner and protection professional, Warmka is a frequent conference speaker and author on these topics.
In conclusion, the methodology behind target selection and assessment by professional human hackers is crucial to understand in order to enhance security awareness and protect against social engineering attacks. By recognizing the information that hackers can gather from social media profiles and the tactics they use, individuals can better safeguard themselves from falling victim to such attacks.