Spear phishing with public records

Ever wonder how people get fooled into identity theft on the Interwebs? I mean, you’d never get caught up in one of those goofy online scams, you can see those from a mile away right? Don’t be too confident. Many of us could quickly be fooled into becoming a victim of a targeted “Spear Phishing” attack. An attack can begin with something as simple as your address.

What does someone know about you from your address? More than you might think, and most likely more than you’re comfortable with. Collecting information about your, attackers craft stories to trick you into giving them more information. Don’t think someone can get enough information to trick you? You might be surprised what a simple public records search will turn up.

I live in Columbus Ohio, that’s Franklin County, so I’ll list my local government sites as examples.

  1. Franklin County Auditors site, property lookup – Gives the attacker information on property owners and financing companies. One normally trusts the other so this is a big target for fooling people into offering up additional information.
  2. Franklin County Municipal Court, case lookup – Gives an attacker access to traffic and criminal cases. If you’ve had a ticket, your DOB, address, and license plate are now in the attackers arsenal.
  3. Franklin County Clerk of Courts for a few more case lookups – Criminal, civil or domestic, your dirty laundry is public for all to see. In some cases the court orders are attached as PDFs. This is a treasure trove of information for an attacker to use to gain your trust.
  4. Don’t forget statistical information — where you live likely says a lot about where you work, how much money you make, whether or not you have kids, and even where they go to school. This can all be used against you.

So with these simple look-ups (without any social media or services) an attacker knows who owns a property and who finances the property. They know your birthday, any traffic violations, or domestic cases you’re involved in. If you have a domestic case, they have your children’s names and birth dates. All that is needed to craft a story that will engage you into giving up more information.

“This is XXX from XXX financial, our records show you’re 90 days past due on your mortgage, how would you like to rectify this today?” Normally this is enough to get an emotional reaction and knock people off their game. Instantly you’re focused on the billing error not your security, and then they have you. “Could you please give me the last 4 digits of your social, so I can look at what might be wrong with your payments?” Of course you will – that’s standard these days to access an account.

Now the attacker has everything they need to contact your finance company and collect even more information. It happens that fast and it happens all too often. People are more critical of email than phone, but phone is a more likely attack vector for a personalized attack. Never trust the person calling you is who they say they are, always ensure you initiate a call that requires you to validate yourself.

Most of all, know what information is available about you. While social media might be a way of collecting personal information it’s not the only method people can use.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: