The Simple Tool That Allows Anyone To Be A Hacker

by Charlie Warzel on August 21, 2013

Hackers are using marketing databases to find your information. It’s free, publicly available, and quite easy.

This is what Jigsaw looks like in action, accessing hundreds of employee contacts in seconds with one click.

Via youtube.com

The high-profile hacks that have plagued media companies in recent months all have one thing in common: They all start with a simple email.

In January, The New York Times admitted the company had fallen victim to a spear-phishing attack, where Chinese hackers sent “e-mails to employees that contain malicious links or attachments.” Since then, the hacks have become a monthly, if not weekly occurrence. Organizations like the AP, The Onion, CBS, and The Guardian have all experienced security breaches in 2013 — mostly hacked social media accounts — all caused by successful phishing scams from the Syrian Electronic Army.

In these scenarios, hackers pick their organization and target individual employees with a convincing, tailored email, often masquerading as an important company document or security update from a social network. Whatever the format, the end game is the same: getting employees to willingly cough up usernames and passwords.

So how does it work? As RSA researcher Christopher Elisan notes on the RSA’s security blog, finding an organization and targeting employees by department isn't hard at all. In fact, most of the heavy lifting can be done using publicly available contact databases, like Jigsaw, an online business directory of companies and employees.

Jigsaw's crowdsourced database acts like a massive online Rolodex with over 29 million contacts from over 4 million companies, and Elisan believes it “could prove to be an extremely valuable tool in helping cyber criminals plan more sophisticated email-based attacks.” Using a readily available ruby script that scans Jigsaw's databases, a hacker can search a company by name and find its “Jigsaw ID,” which is used to target a specific department in that organization. From there you can find information down to the specific employee. In essence, tools like Jigsaw take most of the “hacking” out of the hack, allowing attackers to adopt long-standing marketing tactics, only with far more malicious intent.

This is what it all looks like:

This is what it all looks like:

Via blogs.rsa.com

It starts broad, but quickly narrows down by department level and even employee name.

It starts broad, but quickly narrows down by department level and even employee name.

Via blogs.rsa.com


View Entire List ›

Originally Posted By BuzzFeed - Tech

{ 0 comments… add one now }

Previous post:

Next post: