Tuesday, July 17, 2007

Targeted Extortion Attacks at Celebrities

Who else wants to hack celebrities besides wannabe uber leet h4x0rs looking for fame while brute forcing with username "Philton" and using a common pet names dictionary word list? Digitally naughty paparazzi wanting to have celebrities do their work for them? Not necessarily as third-parties are looking for direct revenue streams out of obtaining personal and often devastating to a cebrity's PR photos by targeted hacking attacks combined with extortion attempts :

"According to the police and S.M. Entertainment Friday, a 23-year-old college student was arrested for hacking a blog of singer BoA and blackmailing her, threatening to spread her private photos. The student, identified as Seo, sneaked onto BoA's Cyworld blog in April 2006 and obtained photos that she took with a male singer. He sent e-mails to her manager to threaten that he would release the photos if they did not provide money. He took 35 million won. S.M. Entertainment said in a press release that the victim was BoA and the male singer was Ahn Danny, former member of pop group g.o.d., and the two have been close friends."

That type of extortion attacks are fundamentally flawed based on the attacker's perspective that the stolen personal data is most valuable to the person who faces major privacy exposure, totally excluding the possibility to forward it to thirt parties such as the "yellow press". Timing as in cryptoviral extortion is everything, for instance, a couple of million dollars PR campaign positioning the singer as a vivid anti drugs and anti alcohol activities could turn into a fiasco if pictures of hear stoned and drunk to death leak at that very particular moment. Celebrity endorsement is always tricky, and the in very same way your brand can harness the popularity of a celebrity, your entire business model could become dependent on someone's ability to manage stress, thus not getting involved into synthetic sins.

Here's yet another related story this time targeting Linkin Park :

"In a plea agreement, she said she was able to see the family's photographs and travel plans, as well as
information about a home they had purchased. She also read messages sent between Linkin Park's record company and lawyer, including a copy of the band's recording contract.

Meanwhile, more targeted attacks make their invisible rounds across the world :

"On June 26, MessageLabs intercepted more than 500 individual email attacks targeted toward individuals in senior management positions within organizations around the world. The attack was so precisely addressed that the name and job title of the victim was included within the subject line of the email. An analysis of the positions targeted reveals that Chief Investment Officers accounted for 30 percent of the attacks, 11 percent were CEOs, CIOs accounted for almost seven percent and six percent were CFOs."

For quite some time spammers have been segmenting and sort of data mining their harvested emails databases to not only get rid of fake emails and ones on purposely distributed by security companies, but to also start offering lists on a per country, per city, even per company basis. In a Web 2.0 world, top management is actively networking in way never imagined before, and despite that privacy through obscurity may seem a sound approach, someone out there will sooner or later get malware infected and have their HDD harvested for emails, thus exposing the what's thought to be a private email for a top executive. I often come across such segmented propositions for specific emails of specific companies, and even more interesting, people are starting to request emails for certain companies only, so that they can directly target the company in question with a typical zero day malware packed and crypted to the bottom of its binary brain.

Despite all these emerging trends, we should never exclude the possibility for a guerilla marketing campaign based on a celebrity's leak of personal, often nude personal data, a technique in the arsenal of the truly desperate.