At a time when many CEOs are reevaluating their companies’ risk of cyber-attacks due to the growing tensions with Russia, it is also important that CEOs take additional measures to protect themselves from direct personal attacks – as hackers are increasingly targeting executives in their private lives in order to pull off large corporate breaches.
C-suite executives are the ideal target for any hacker, since these individuals have the greatest level of access within the company, they often have sensitive data stored on their devices, they can access the company’s financial accounts, and their email account (or other communication channels) can be used to instruct other employees to perform sensitive tasks like wire transfers.
Executives are usually well-protected when inside the corporate network, but in many cases that security vanishes as soon as they step outside. Their home networks, personal devices and personal accounts often have little to no meaningful protection.
This makes them an easy target for hackers, and we are seeing a significant increase in both criminal and nation-state operations that are zeroing in on executives as the initial point of attack.
Here are several ways that hackers target executives in their personal lives:
1. Data Broker Profiles
The majority of C-suite attacks often begin with information gleaned from a data broker.
The data broker industry is not well known, but these companies amass vast amounts of detailed personal information on everyone, including top executives. All a hacker or criminal has to do is buy it.
Data broker profiles are risky for executives because they contain privileged information which hackers can use to break into their online accounts, steal corporate credentials and data, assume their identities for social engineering other executives or employees, all of which can ultimately result in corporate breaches and financial theft.
My company recently analyzed over 200 data brokers and 750 of our corporate executive clients whose information had been collected by them. We found several areas of concern:
• 40% of online data brokers have executives’ home IP addresses: This is alarming because the only challenge hackers face when breaking into a home network is knowing the right one to target. This provides them with a virtual road map for hacking executives.
• On average, online data brokers maintain more than three personal email addresses for every executive record: Hackers can cross reference these email accounts against Dark Web “password dumps” to take over the executive’s email. They can also “spoof” the executive’s personal email account without actually hacking it, in order to trick another executive or employee.
• 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors: This makes it easier for a hackerto social engineer the executive, their family or close associates (such as colleagues, personal assistants, etc.), by citing private information that presumably only the executive or her close personal contacts would know.
• 70% of executive profiles also contain personal social media information and photos
2. Home Networks
An executive’s home network is a perfect target for hackers because it is usually not set up securely and as a result it is unprotected. Thus a breach will go unnoticed for a long time and the hacker will have access to a wide range of important devices.
Breaching a home network is relatively easy. Once the hacker knows the right IP address to target, s/he will typically scan the network for any exposed or vulnerable devices. Devices with no password or a default password are also prime targets for cybercriminals. Out-of-date firewalls and WiFi routers are another top target, but also at risk are Internet of Things devices (such as home security cameras), home automation systems, printers, gaming consoles and any other device that is outdated or unpatched, like a computer or laptop. As an example, my company recently breached one executive’s home network, as part of an ethical hacking test, by infiltrating an Internet-connected grand piano.
Once the hacker gets a foothold on the initial device, he will then look for other devices to target on the network. In this way, a hack that begins with one device can quickly lead to many devices in the home becoming compromised. High-value devices such as personal or business laptops and routers/modems pose the greatest risk because they give the hacker direct access to the executive’s data and corporate accounts.
However, other devices in the home can also lead to corporate data breaches. For instance, the hard drives many use for backups are often not updated and thus vulnerable. Additionally, any electronic device that is equipped with a microphone or camera (ex: security cameras, smart speakers, smart TVs, baby monitors, etc.) can be used for espionage, competitive intelligence and criminal extortion.
3. Personal Accounts
Personal email, social media and messaging accounts are all useful targets for a hacker, because if the criminal can gain control of just one of these, then she can impersonate the executive by launching “Business Email Compromise” (or BEC) attacks on other executives and employees.
In this way, one compromised Gmail or LinkedIn account can quickly snowball into several hijacked accounts, potentially leading to a full corporate breach, Securities and Exchange Commission (SEC) investigation or corporate filing with the SEC.
Hackers also look for passwords that may be reused elsewhere. A hijacked Netflix or retail account may seem insignificant to the company’s overall cybersecurity, but if the executive uses that same password on other more important accounts—such as Office 365, Teams, Slack, FTP, etc.—then it becomes a much bigger problem.
Hackers have several ways to break into an executive’s personal accounts. The easiest way is to simply buy the password or session cookie (this bypasses the password and is known as a “pass-the-cookie” attack), which are widely available in criminal Dark Web forums. Attackers will also use spear-phishing emails, which either trick the executive into signing in on a fake login page or that install info-stealer malware on their device which will harvest passwords and browser cookies.
4. Document Extortion
“Document extortion” is another risk that goes hand-in-hand with personal account takeovers, but it is worth calling out specifically.
In my practice, we have seen a steady increase in these attacks, and hackers are getting more aggressive in their tactics too. Consequently, executives should be prepared that any personal email compromise has a high chance of leading to an extortion attempt.
With this type of extortion, the hacker hunts for any sensitive document, file or written correspondence that would be embarrassing to the executive if publicly exposed. The most common extortion materials are legal documents, tax records, medical files and personal photos. However, hackers will also look for compromising email or text message conversations, as well as sensitive account subscriptions, such as dating services and adult websites.
5. Family Members
Attackers are always looking for the path of least resistance, and an executive’s children and spouse are often less protected and less cyber-aware, which makes them an easier target.
By hijacking a family member’s personal account or infecting one of their devices, the hacker is then able to stage a secondary attack on the executive. This may occur through “conversation hijacking” in which the hacker injects himself into a real conversation between the executive and a family member in order to solicit information or spread malware, or by gaining a foothold on the home network and then scanning for the executive’s devices.
However, family member attacks can also be considerably darker. In our practice, we have seen several “sextortion” cases where hackers either secretly recorded or cunningly solicited compromising images of someone in the family (often a teenage child) in order to blackmail the executive. The hacker will either “catfish” the victim on social media or dating sites, then manipulate them into sending the images, or they will infect the victim’s computer with a “webcam RAT,” which allows the criminal to remotely control the webcam and secretly record the victim.
How to Defend Against These Threats
C-Suite executives need to take several steps to reduce their personal “attack surface.”
First, they must remove their personal information and family’s personal information from all data broker websites. This is not easy, but there are professional services that can help.
Second, executives should harden their home networks. At a minimum, this includes: updating all devices in the home to the latest software, firmware and security versions, with a priority on important devices like routers, modems, firewalls, computers and printers; protecting all online accounts with strong, unique passwords and dual-factor authentication protection; encrypting all important documents, files or data; and backing up all important files, documents and data on an external hard drive that is not connected to the Internet.
IoT devices also require special attention since they are easier to breach. These devices should have strong, unique passwords and be updated regularly. They should also be kept off the main WiFi network and moved to the “guest network.” Add a camera cover or tape to any device inside the home that has an embedded camera.