AMU APU Cyber & AI Cybercrime Original

Open Source Intelligence: How Hackers Gather Your Information

By Dr. A. J. Rutherford
Faculty Member, School of Security and Global Studies

The world today is a much different place than it was two to three decades ago. Over time, there has been the explosion of the internet, social media, and everyone’s thirst to promote themselves and share their lives with the world. But online self-promotion can also result in your private information being hacked. 

The first step to mitigating exposure and defending yourself against hackers starts with understanding the open source intelligence (OSINT) framework. But what is open source intelligence? 

Open source intelligence involves a conglomeration of connections to different URLs, which prompt the user where to look when conducting an investigation on a potential target.  Through various tools, a malicious actor can easily filter through the massive amounts of data that people put out on the Internet. Based on the information they collect, hackers can then craft an attack using information that you willingly exposed via online sites.

RELATED: Cybersecurity Awareness Month: Keeping Your Info Safe

Hackers Play on Their Victims’ Weaknesses

When hackers scour the internet for victims, they traditionally use one of four human weaknesses, known as “MICE”:

  • Money
  • Ideology
  • Compromise
  • Ego

Generally, the easiest weakness to exploit is compromise. Using social media sites such as LinkedIn, Twitter, Facebook or Instagram – which are used to market companies as well as individuals – it is very easy for a malicious actor to gather information about an individual. That individual can then be conned into revealing proprietary information that compromises a company’s security.

RELATED: Why It’s Important to Close the Cybersecurity Knowledge Gap

Social Engineering and How It Is Used by Hackers

In a recent article, “6 Tips to Maintain Cell Phone Security for the Holidays,” I mentioned how  hackers acting as social engineers can gather information simply by looking over your shoulder as you use your electronic devices in public. According to Imperva, social engineering is a process that is comprised of four phases:

  • Investigation
  • Hook
  • Play
  • Exit

During the “investigation” phase of an attack, a hacker gathers personal and professional data from the unsuspecting target’s digital footprint. The digital footprint can be active (the intentional disclosure of information) or passive (the unintentional disclosure of information). Both types of information are useful to an attacker. 

The hacker will then “hook” a victim by taking information gathered during the investigation phase and using it to deceive and manipulate the victim. The hook phase might involve:

  • A phishing attack
  • A conversation with a random stranger who coincidentally has a lot of the same interests
  • An odd phone call from someone who claims to be from Payroll, IT, Security or another business department 

Following the hook, the attacker will continue “playing” the victim, making an interaction appear to be legitimate. After the hacker’s goal has been achieved, that hacker will then “exit” by leaving the area, disconnecting from a phone call or disappearing from a computer system.

Protecting Yourself from Hackers Using Open Source Intelligence

Protecting yourself from hackers starts with being aware of how hackers manipulate you. First, don’t fall for scams that play upon your greed or gullibility. For instance, do you really know any foreign dignitaries who want to give away a fortune to you in return for you sending them your bank account number? Is there really a stranded American citizen who needs your $10,000 to return to the United States?

Second, be aware of carefully crafted business emails that look legitimate but raise concerns that something seems “off.” Before giving out any information to an unsolicited email, for instance, think to yourself, “Who is Betty in finance? Why is she asking me for my bank account number and routing number to pass to Human Resources?”

Third, be wary of “tailgaters” at building access points or strangers who seem overly curious about what you’re doing. They may be trying to establish rapport and catch you off guard in an attempt to enter a building that houses private information.

Fourth, be wary of “authority” figures who ask for personally identifiable information (PII) or financial information. Instead, check to see if they are legitimate.

Lastly, don’t fall prey to the fear of missing out (FOMO). If someone offers you a promotion, a great deal or a free gift in return for giving them company data, don’t fall for the scam.

Ultimately, the best way to avoid falling prey to a hacker using is familiarize yourself with the open source intelligence framework and be constantly aware of what data you put on the internet about yourself and your organization. At work, be familiar with your organization, your fellow employees and your command structure.

I am not saying you need to be Facebook friends with your CEO. However, you should know who your CEO is and understand that it is very unlikely that he or she will send a personal email asking you for financial information such as your bank account number. Also, stay aware of your physical surroundings, and be careful what you say to others about your personal or professional life. 

Dr. Rutherford is a retired Marine and currently a security consultant. He has taught cybersecurity and homeland security courses at various universities since 2009. Dr. Rutherford has a B.A. in homeland security from American Military University (AMU), a M.A. in intelligence studies from AMU and a Ph.D. in information security and assurance from Capella University.

Comments are closed.