A security researcher decided to see how hard it would be to create a targeted phishing attack on a total stranger. He went to Facebook and found a guy he did not know personally and found a wealth of information, including:
He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.
He visited The Brewhouse in Whistler on Sept. 16.
The names of at least some of the people he was with on Sept. 13.
He visited the 192 Brewing Company on Sept. 12.
He visited the Chainline Brewing Company on Sept. 11.
He visited American Pacific Mortgage on Sept. 9.
He went to a Seattle Seahawks game on Sept. 3.
And based on his Facebook profile, it was clear who he worked for, the city in which he lives, his wife’s name, and lots of other information.
If the security researcher was a bad guy trying to get access to this victim’s corporate login credentials, he could easily create an email with the subject line “Problem with your credit card charge at Tapley’s Pub” — a subject line that would make him open the email given his recent visit there.
Next, in the email, the bad guy could write a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, and GAME OVER.
The bad guy can now capture every keystroke of the victim from then on, which would include login credentials and other confidential information.
The moral of this story: do not share all kinds of personal information on social media. This is true from the mail room up to the board room. Shared personal information can come back to you and bite hard.