Reconnaissance (recon) is a technique used by hackers where they directly focus on an organisation or an individual and gather intelligence that enables them to carry out a cyber attack.
During recon the hacker will always have a specific target, whether it be an organisation, personnel within the organisation or an individual. They will track and monitor specific behaviours to establish any vulnerabilities, potential routes of entry or weak points and they will then attempt to exploit these in order to gain access.
The hacker will often then use a variety of social engineering methods to trick the user into sharing confidential information (typically email usernames and passwords), with phishing scams being one of the more common forms of attack. Phishing is most commonly the process of sending an email which appears to be from the corporations IT support department, displaying the corporate logos and usually asks the victim to either approve the release of some fictitious spam email, or to approve the increase of their mailbox capacity. The victim will then click on a link which appears to be on the internal local network into which they type their username and password. In fact this website will be controlled by the hacker who now has the username and password that will enable them to not only read the victims emails but also send emails with the victim's identity.
Recently, there has been an increase in ‘whaling’ (phishing attacks aimed at high profile targets within an organisation). Like most phishing scams, the hacker will use a faked email or web page designed to look like legitimate content and either send it to or from a high level executive within the company. This kind of cyber attack is almost always financially motivated, but just recently we have noted at least one attack motivated as security privileged information in a commercial high court dispute.
The hacker will often perform recon beforehand on the their target, for example a CEO or top decision maker, and gather information that will help them carry out the attack.
Picture this scenario…
Say for example the CEO of a large organisation posts on Twitter that he is at a conference or a meeting on a particular day. The hacker can use this information, freely available on the web, to contextualise their approach.
The hacker engineers an email to look like it has come from the CEO, possibly asking for a payment to be made via wire transfer to new account during his absence. The hacker will make sure to reference that the CEO is not available to do this himself as they are not in the office and will emphasise the urgency, perhaps the need to pay for a hotel, flights or as part of a fictitious deal that has been completed as part of his trip. The email will mimic a typical email you would expect to receive from that individual and the language used will be at an executive level.
Often the employee who is in charge of processing such a request (such as a bank payment) will be in the lower echelons of the company. Often these individuals are reluctant to challenge the authority’s (in this case the CEO) request, and these individuals are often not specifically trained or aware of the risks of these attacks.
It is therefore imperative that employees are encouraged to challenge and report any suspicious email or contact they receive as there are major risks associated with not doing so.