Brian Thompson, the American CEO of UnitedHealthcare, was fatally shot in New York City while walking to an investors' meeting. The assailant ambushed him outside a hotel, firing multiple shots and hitting Thompson in the back and leg in what law enforcement are describing as a premeditated targeted attack.

The incident sent shockwaves through the global business community, and underscores the growing dangers faced by high-profile executives.

With increasing societal tensions and heightened visibility through media, CEOs and other leaders are becoming prime targets for threats ranging from physical harm to cyberattacks. This alarming reality highlights the essential need for professional executive protection services.

As a leader in this field, Signal provides tailored solutions to safeguard individuals and their families in an unpredictable world.

Rising Risks for Corporate Leaders

Wealth, decision-making power, and public recognition make executives attractive targets for people holding personal grievances or extremist beliefs seeking financial gain, revenge, or notoriety. Threats can manifest in multiple forms, including:

• Physical Attacks: Executives often travel to unfamiliar locations, attend high-profile events, and interact with diverse individuals—all increasing their exposure to danger.

• Cyber Threats: Digital profiles and personal data can be exploited for blackmail or identity theft.

• Online Threats: Online death threats to VIPs can precede offline physical attacks.

• Harassment: Cyberstalking, fixated individuals, and gender-based harassment can often be found online with aggressive language, extremely negative sentiment, dehumanizing rhetoric, and hate speech.

• Reputation Risks: Public figures are under constant scrutiny, where even minor missteps can lead to severe reputational damage.

The killing of the UnitedHealthcare CEO serves as a sobering reminder that even those at the pinnacle of corporate power are not immune to these risks.

For example, another crucial aspect of reducing risk for executives is monitoring the broader societal response following an incident. In the aftermath of recent events, "wanted" posters targeting healthcare executives have appeared across New York City, accompanied by a surge of online commentary endorsing the violence. While these reactions may not constitute direct threats, they reflect a hostile climate that could escalate without warning.

What Is Executive Protection?

Executive protection encompasses a comprehensive suite of security measures designed to mitigate risks and ensure the safety of leaders and their families.

Core elements include:

1. Risk Assessment: Identifying potential vulnerabilities through robust evaluations.

2. Personal Security: Close protection officers trained to manage real-time threats.

3. Travel Security: Planning and monitoring travel itineraries to ensure safe passage.

4. Cybersecurity: Safeguarding personal and professional digital profiles.

5. Emergency Response: Rapid interventions to neutralize immediate dangers.

Why Signal is a Trusted Leader in Executive Protection

Signal is designed to equip security professionals with real-time data and actionable insights. These tools enhance the capabilities of dedicated security teams by enabling proactive threat detection and response, ensuring executives and organizations remain protected in an increasingly complex risk environment.

• Real-Time Intelligence

Signal’s cutting-edge tools monitor and analyze publicly available information, delivering actionable insights to preempt potential risks. This proactive approach ensures executives stay one step ahead of threats.

• Customized Insight

Recognizing that no two executives face identical risks, using Signal, Executive Protection teams can offer personalized protection plans customized to an executive’s requirements.

The Broader Implications of Executive Protection

Investing in executive protection has benefits that go beyond personal safety. It:

• Preserves Business Continuity: Ensures leaders can focus on their responsibilities without fear.

• Upholds Reputation: Prevents incidents that could harm the public image of both the executive and the organization.

• Provides Peace of Mind: A secure environment fosters confidence and productivity.

Lessons from the UnitedHealthcare CEO’s Tragedy

The loss of a prominent leader reverberates throughout industries, highlighting the need for proactive safety measures. As corporate responsibilities grow more complex, so do the risks. Businesses must recognize that the safety of their leaders is not a luxury but a necessity.

Signal

Signal is an advanced intelligence platform designed to proactively identify and provide insight to help mitigate risks to high-profile individuals and organizations. By leveraging real-time data from social media, news outlets, the dark and deep web and other open-source intelligence channels, the Signal delivers actionable insights to enhance executive protection.

This system enables teams to anticipate threats, monitor potential vulnerabilities, and respond swiftly to incidents.

By incorporating Signal into their security protocols, organizations can ensure comprehensive situational awareness and improved safety for executives. Learn more about Signal and the Global Feed here.

Take Action Today

In an uncertain world, executive protection is no longer optional. Signal’s expertise ensures that corporate leaders and their families can live and work securely. The tragic event involving the UnitedHealthcare CEO serves as a stark reminder of what’s at stake. Don’t wait for a crisis to act—reach out to Signal today to build a robust security framework.

Learn more about Signal’s services at Signal Executive Protection.

For as long as there have been executives there have been executive threats. It’s the unfortunate lay of the land that the bigger the name or the more airtime an executive has, the more likely that they’ll be the recipient of various threats.

Over the years, the number of threats against executives in online environments has grown, ranging from death threats and hate speech right through to doxings and attacks against an executives’ private residences. In more extreme cases, attacks extend from executives alone to include their family or loved ones.

With such threats increasingly common, it’s imperative for organisations to protect their people in real-time, catching risks before any damage is done, and gaining better peace of mind overall.

Threats grow following pandemic and topical issues

As branding has evolved, the role of executives has also transformed. Leaders today have become the face of a business, and are more likely to speak out not only about the business they represent but topical issues such as the pandemic or climate change. Even not speaking out can be seen as a failing on the part of the organisation. Overall, with a bigger spotlight comes more attention - good and bad.

Recent studies have highlighted the rise in executive threats, highlighting that employees in U.S. companies stated their CEO received physical threats after taking (58%) or not taking (40%) a position on a racial or political issue. Overall, 35% said there was growing concern about extremists, with a lot of this activity tied to larger issues. In addition, the pandemic witnessed a massive increase in executive threats, with physical attacks more prevalent.

The above example has been censored to remove identifiable features

Keeping executives safe in the face of extremists

If security teams are to adequately face these threats head on, they must gain a more thorough picture of what people are saying, plotting, or bragging about in order to ensure risks can be intercepted and executives, as well as their loved ones, can stay safe. It’s important to know what’s going on in public forums for discussion, such as Twitter, as well as more nefarious corners of the internet, such as the dark web.

Recognising the need for increased security measures, open source intelligence gathering forms a critical aspect of increased situational awareness and risk mitigation for advanced executive protection.

Signal provides open source intelligence that enables security teams to effectively monitor and analyse open source data available and use targeted searches to gain more in-depth situational awareness. Leveraging this intelligence enables security teams to objectively evaluate current security challenges, and launch risk-mitigation measures.

All we know for sure is in today’s day and age we need to remain as vigilant as possible, catching threats before they turn into something more sinister. While every organisation needs a master plan, they also need tools and effective security intelligence that will make that plan a functional, daily practice.

Contact us to learn more or schedule a demo.

One misstep in today’s competitive business world can be enough to lose customers and employees. Today, reputation is everything. Coinciding with this is a rapid increase in online events that have the sole intention of damaging an organisation’s reputation. 

In such a reality, being able to access and gain insights from actionable, real-time data will put you one step ahead of the game and help mitigate any destructive forces against your reputation.

Why reputation matters

In 2020, Weber Shandwick, a leading global communications and marketing solutions firm, found that on average global executives attribute 63% of their company’s market value on their overall reputation.

On top of this, we now live in a world where the vast majority of consumers will research a brand before they commit to buying a product or service. A company’s digital presence, and the reputation of its brand and staff, factors into this decision-making process, determining whether the company in question is an optimum choice or not.

In fact, analysts at IDC have stated that one of the current key pillars of brand and reputation resilience is customer trust and loyalty. Customers, partners and suppliers use enterprise response to crises to measure the quality and integrity of an organisation and its leadership, the analysts state.

Events that can have an adverse impact on a company’s reputation includes conversations or false information about executive behaviour, environmental footprint or damage, political donations, societal issues, allegations of unethical practices, or employee safety.

The above example has been censored to remove identifiable features

Catching the problem before it snowballs

While preventative measures are always a good idea, as it stands it's impossible to catch everything before it's released into the world. Recent years have seen the rise of malicious attacks on everything from CEOs to SEO results, all with the intention of making a company look bad or perform poorly.

Using open source intelligence gathering tools like Signal offers multi-faceted help against such issues. When it comes to reputation, Signal can alert users to any mention of specific terms or names. This includes attacks against a company, any C-suite personnel, or discussions online about a current or potential attack on operations.

We highlighted this in action in our blog Black Hat Brags About Bank Hack - Signal Could Have Spotted It. In this example, Capital One, one of the biggest banks in the United States, discovered it had been hacked after a ‘white hat’ noticed the cyber criminals bragging about the breach - four months after the initial incident. The configuration vulnerability that the hacker had exploited was located and rectified, but not after approximately 100 million people in the US and 6 million in Canada were impacted.

Signal could have caught the issue immediately. Our machine learning driven relevancy engine can draw an analyst’s attention towards critical incidents amidst thousands of irrelevant posts. We scan the web and dark web for chat about data hacks, breaches and stolen information. Monitoring multiple data sources, we can provide real-time results and feed this back to your organisation so you can take practical steps to deal with an incident that could cause reputational damage immediately, before your brand is impacted. Proactive alerts can be activated via email, SMS, our mobile app or through one of the many integrations available.

Ultimately, reputation can spell the difference between your company’s success or a massive stumbling block. Uncovering what people are saying about you can highlight the potential negative impact of malicious keyboard warriors and give you the chance to respond, and it can uncover more sinister threats against your business. Regardless of the specifics, the power of visibility can’t be understated, and that’s exactly what we’re proud to offer.

Contact Signal to learn more or schedule a demo.

Online stalking, or cyberstalking, is on the rise. Covid-19 has only exasperated the problem, with lockdowns increasing the vulnerability of victims as people continue to spend exponentially more time online. In fact, Paladin (UK’s national stalking advocacy service) reported having a 50% to 70% increase in requests for support around stalking cases during the pandemic.

In one UK study, 358 cases of homicides were analysed. The results indicated that in 94% of these homicides, the victim was stalked before the homicide took place. This statistic indicates how important it is to recognise stalker-like behavior before a potential violence occurs. Organizations who exercise the highest standards of Duty of Care and want to keep their employees safe, understand the importance of detecting signs of stalking before the problem snowballs.

Cyberstalking is on the rise

• Stalking on social media:

  • Facebook

  • Instagram

  • Twitter

  • Snapchat

  • TikTok

• Stalking via private messaging platforms:

  • WeChat

  • Telegram

  • Whatsapp

  • Facebook Messenger

• Other stalking techniques:

  • Virtually visiting victims on street maps

  • Looking at victim geotags

  • Hijacking webcams

  • Catfishing

How Signal Helps

Using Signal, analysts discovered X, a stalker using social media, harassing a client’s employee. In a 4-week span this user sent approximately 1500 social media posts mentioning said employee. The content of X’s posts includes photographs of the employee’s children, mentions 9 hand-written letters posted to the client, marriage proposals, and also sentiment seesawing between love-speech and hate-speech. X also contacted other employees, especially when the desired effect on the first employee wasn’t achieved.

Using the data found, analysts took X’s content and ran it through various analysis steps to prepare a data set to be included in a dossier. The most popular words and phrases were pulled from the posts, then further analysed by Signal.

The prepared dossier was shared with the client so that they could instigated their employee support  process for dealing with online harassment. 

Benefits of Signal’s Stalker Threat Preventative System

Signal helps prevent the potential psychological trauma of employees, physical harm, and at worst violence or loss of life. 

Stalking causes business disruptions as well. Companies whose employees fall victim to stalking will lose productivity each year. Impacts include reduced or lost output, increases in staff turnover, increases in absenteeism, investment required for support programs and increased management overhead. Collectively, victims of stalking will lose approximately $110 billion over a lifespan.

Signal can detect harassment in real time. Client analysts or analysts from Signal can watch for stalker-like behavior and notify you as soon it is detected. This information in turn is used to trigger employee support programs and increased monitoring to ensure escalation doesn't occur.  

We can save your employees and business potential time, harm and money. Contact us to learn more or schedule a demo.

The new softwares and systems that are employed across an organization create new attack vectors for threat actors and new data security concerns. Not only that but as these new digital systems are put into use to replace once manual tasks additional complications arise from potential user errors, for example, an employee might make private data public without even realising. 

In this article, we take a look at 7 of the growing concerns that cyber and infosec professionals hold as this trend towards digitizations continues at an increasingly explosive pace.

1. Unintentional Data Exposure

“To err is human,“ as Alexander Pope famously wrote. We all make mistakes and to combat this we have progressively leveraged more technology across industries to automate processes and reduce the potential for human error. However, technology can’t prevent our every mistake, and paradoxically, this use of technology increases the amount of data we as people and organizations produce and store in our systems. Hackers are aware of this and continue to find creative ways to exploit human weakness with strategies such as complex phishing campaigns.  

On top of this, the adoption and rapid development of hardware (phones, for example) mean many people conduct work from their personal mobile device. And the move towards work from home driven by the COVID-19 pandemic has furthered this merger of work and personal devices as well as increased the amount of work done from unsecured networks.

2. Adoption of AI into Malware for Scale and Evasion

Denial of service attacks can take a variety of forms, from malware to DDoS attacks, and have huge financial implications for an organization. In 2018, for example, shipping giant Maersk had their IT systems taken out by a vicious malware called NotPetya, costing them an estimate $300 million.

These ransomware attacks might be driven by political motives, thoughts of financial gain, or something else entirely. Over the last few years, these tactics have evolved they’ve adopted new technologies and strategies allowing threat actors to increase both the scale of the attacks, as well as to more effectively neutralize increasingly complex security protocols.

One increasing concern is the adoption of AI into these attacks. AI can be used in a variety of ways, such as increasing the effectiveness of phishing campaigns. One example was developed by IBM Research, DeepLocker. DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners and then uses facial recognition to identify the specific target and launch its payload.

How AI is used to could completely change the way information security and cybersecurity professionals, in general, need to adapt and respond to threats.

3. Financial Fraud

Financial fraud off the back of data breaches is nothing new. However, it continues to be a problem today and into the foreseeable future. Data breaches from large organizations, whether they are related to your organization or not could easily lead to new attack vectors on your company.

There is a huge amount of Personal Identifiable Information (PII) for sale on the dark web. This data can be used in a number of ways, from credential stuffing strategies to identifying high-value targets and refining strategies for spear-phishing campaigns.

4. 3rd Party Integrations

Often organizations spend a huge amount of time and money ensuring their internal cybersecurity practices are excellent. It only takes one breach to realize the efficacy of this investment. Successful ransomware, for example, against an organization for example could cost tens of millions not even considering the reputational damages that might accompany the financial ones.

However, as was seen with the 2020 SolarWinds breach, it doesn’t matter how well educated your staff, how up to date your firewalls, how alert your security teams are if your third party integrations have weaknesses.

5. Increasing Amounts of Sensitive Data Collected Through IoT Devices

Internet of Things (IoT) devices is beginning to infiltrate every level of our lives. From mobile robots, to inventory tracking, to personal assistants, connected speakers and smart TVs. These devices seek to automate and simplify our lives.

However, what many people don’t realize is that these machines are often insecure by design and offer attackers new opportunities. Additionally, the terms and conditions around data sharing and usage from many of these devices lack transparency, and by utilizing this technology an organization makes it increasingly difficult to know and control what data is going out.

Finally, it’s often the case that, while a vendor may recommend applying new firmware updates, they are not applied unless the device starts misbehaving and someone applies the update to troubleshoot the issue. This could lead to serious security compromises.

6. Rise of Fake Online Personas

This threat can have a direct and dramatic impact on organizations reputation and the physical security of employees. By creating and leveraging fake or phantom social profiles threat actors can create trending news and information, promote poor products, or push lies and deceptions to further an agenda. 

The application for these kinds of campaigns is vast, affecting everything from national elections to company sales and share prices, and there is currently no system in place to identify false profiles efficiently and counter the purposeful spread of misinformation in this way. 

7. Shortfall of Professionals

The final security risk on the list is the continued shortage of skilled security workers. As cybersecurity threats evolve, and areas such as information security become more important for organizational security, increasing numbers of skilled and trained professionals will be needed.

Finals Words

Many people are now desensitized to the fact their data is shared online either through breaches or loose company policies. Because we cannot regain our privacy, they often become careless about protecting it further. Add to this the constant evolution of cybersecurity threats, and the challenge for cybersecurity professionals looks like a tough one. 

To ensure organizational security, companies need a combined response, that includes continuous education of employees, restricted accesses, and multi-factor authentication. This needs to be paired with a skilled security team who are armed with the necessary knowledge and tools such as OSINT software.

Security professionals need to be able to gather real-time data on emerging threats and proactively implement an effective response. 

While data breaches are invariably costly for organizations, the fallout from a data breach isn’t always the same. There are numerous motivations for threat actors and an even greater number of strategies that they employ to achieve their varied goals. As such, it falls to security professionals can continuously learn from the ongoing cyberattacks the best ways to predict and prevent cyber breaches in a constantly evolving threat landscape.

In this article, we take a look at 5 of the lessons that can be learnt from some of the biggest cyberattacks of 2020.

1. 3rd party integrations create new attack surfaces

The recent breach of SolarWinds allowed foreign agents to access and spread malware to numerous government agencies and high-value US targets. These threat actors knew they could likely never penetrate these targets directly, and instead discovered they all used the same software for network management - SolarWinds. 

The attack spread a malware which lay unnoticed in the system for months as the attackers are believed to have observed and gathered data on their targets.

The key take away from this hack is that no matter how excellent and strict your own system’s security is, if the 3rd party systems you use have a weakness, then so do you. This is especially important as systems become increasingly interconnected, with a myriad of moving parts provided by dozens of different vendors. 

While you can’t and shouldn’t simply wall of your systems with a trust no-one approach, organizations also mustn’t take third-party solution provider’s security for granted. Conduct rigorous, ongoing security audits of your systems to be sure there’s not a nasty surprise hiding around the corner.

2. You need clarity across your organization’s security

As an organization grows in size and complexity, often, as we mentioned above, integrating and employing 3rd party vendors, the number of attack surfaces grows too. Organizations need systems in place to maintain clarity over the entirety of their IT security.

In July, Garmin was locked out of its own systems by ransomware and ended up having to pay millions in ransom for the decryption key. 

Garmin faced an impossible situation. While law enforcement officials and cybersecurity experts repeatedly warn companies not to pay ransomware attackers as it encourages further ransomware attacks, companies like Garmin are often left with no other choice. 

As such, companies need to employ systems, security protocols, and training to prevent ransomware.

For businesses like this, it’s vital to have systems in place to maintain a vigilant security posture toward every possible vector for attack.

3. Humans are the weakest link

Social engineering tactics can range from rather obvious emails from Nigerian princes to complex multi-step and highly targeted spear-phishing campaigns. In late 2020 the latter is what happened to Twitter, with numerous employees targeted with a strikingly elaborate spear-phishing campaign. The strategy involved multiple steps including tricking an employees phone carrier, pretending to be a member of the I.T. team, and creating fake login pages.

Once they had an employees admin account login they hijacked multiple high profile Twitter accounts and launched a Bitcoin scam that saw them making off with over $100,000 in less than an hour before it was stopped. Though this attack certainly could have been worse, it shows how one of a companies biggest vulnerabilities is compromised employee credentials. 

There are a couple of things that can be done to protect against employee weakness in your security defences. These include restricting employee access to sensitive data. Ensuring you offboard, and remove access to systems for old employees, implementing strong authentication protocols such as multi-factor authentication, and regular security training sessions for staff 

4. Only store data vital to providing your service

In July of 2020 GEDMatch, a DNA genealogy site was hacked. The hackers changed the user’s privacy settings - opting everyone in to share their data with law enforcement. The hack exposed the data of around 1.4 million people.

Thankfully, GEDMatch later announced that no raw DNA files had been compromised as no raw data is stored on the site. Instead, the data is encoded when it’s uploaded and the raw file deleted immediately. The key lesson here is that GEDMatch followed good practice, not storing any sensitive raw data and thus eliminating a potentially serious attack vector meaning the failure of one control did not lead to the attackers progressing beyond their initial intrusion.

If you can avoid storing highly sensitive data — such as passwords, payment information, or biometric data — on your own servers, do so. Deleting raw DNA data helped minimize the damage to GEDMatch in this breach.

5. People aren’t going to stop reusing passwords

The majority of people on the internet don’t know the best online security practices and many reuse the same tired old password across numerous websites. This has lead to a rise in popularity of one of the most common attack strategies employed by threat actors, credential stuffing. This is when they buy large datasets of login details, eg. passwords and user names, and apply them to other sites. While the strike rate is generally quite low, this strategy of credential stuffing does work. This is what happened to several insurance companies in 2020 including Independence Blue Cross. 

Independence Blue Cross reported that their member portals had been improperly accessed by hackers reusing credentials stolen from MyFitnessPal in an attack from 2018.

People aren’t going to stop reusing passwords anytime soon, but businesses can still guard against credential stuffing. One crucial step is to implement strong authentication protocols such as multi-factor authentication or adaptive authentication, which asks users for more credentials if their behavior is suspicious. In this case, it could have noticed that members were logging in with new I.P. addresses or at an unusual time of day, and asked them to confirm their identity.

Final Words

Organizations are increasingly connected online, using a myriad of integrations and tools to create better, more user-friendly solutions. Additionally, as we all become more technologically literate and engage more and more online there is an increasing amount of users data stored on organizational systems.

This means that the number of attack surfaces that organizations have to be aware of is continuously growing, and so too are the opportunities for attackers to achieve their goals. Whether it’s foreign espionage, idealogical fanatacism, or for personal financial gain.

Ultimately, we’re all in this together, a data breach or successful attack on one company could easily have ramifications against your own organizations. As such, employing the right tools, such as an OSINT tool like Signal, to monitor, detect and better protect against potential threats in this growing threat landscape has never been more important. 

What is Doxing?

The term itself originates from the phrase “dropping docs” and was later shortened to “docs” and then “dox”. As the original term suggests, doxing is when someone collects and then shares information about another person or organization.

There are numerous reasons someone might dox someone else or be the victim of doxing. It could be for revenge or a personal grudge, a disgruntled ex-employee might target their previous employer, for example. In 2014, Sony was the victim of a doxing attack backed by, experts believe, the North Korean government after they released a film which made fun of their leader. Other motivations include harassment and cyber-bullying, vigilante justice (for example, exposing neo-Nazi’s), and doxing for financial gain. 

Organizational doxing is on the rise and can be immensely damaging, exposing company secrets and customer data, or more directly exposing executives to new levels of threats.

Doxing Strategies and Goals

Traditionally doxing started with an online argument escalating to one person digging out information on their adversary and sharing it online. More recently though, doxing has become more of a cultural tool with hackers taking down people or groups with opposing ideologies. When it comes to organizations, threat actors have been known to both target an organizations reputation and to use information gained through a doxing attack to leverage financial reward.

For example, in one scenario an employee at a bank was blackmailed after a doxing attack into using his position in the bank to steal over $100,000 from customers for his blackmailers. 

The fallout is generally reputational with the victim suffering from online abuse such as death threats to them and their family in lieu of the new information shared. However, on occasion, the fallout can be significantly worse. There have been examples of mobs dishing out physical vigilante justice after a person's information, such as an address, was shared online.

There are numerous ways you can be identified online. By following ‘breadcrumbs’ of information a dedicated doxxer can assemble an accurate picture of a person - even if they were using an alias. The kind of details they might look for include, full name, current address, email address, phone number etc. Additionally, some doxxers might buy information from data brokers.

IP/ ISP Dox

There are various methods that can be used to locate your IP address, which is linked to your location. With just your IP address a doxxer could then use social engineering tactics against your Internet Service Provider (ISP) to discover the information they have on file such as:

• Your full name

• Email address

• Phone number

• ISP account number

• Date of birth

• Exact physical address

• Social security number

This requires the doxxer to go through a dedicated process, which may not even work, however, it’s just one strategy they can employ, and even if they are unable to gather further information through a gullible ISP worker they still have the first parts of the puzzle - your IP address and a rough location.

Doxing with Social Media

If your social media accounts are public then anyone can view them. Often things a threat actor can find out include your location, place of work, your friends, your photos, some of your likes and dislikes, places you’ve been, names of family members, names of pets, names of schools you attended, and more.

With this kind of information, they can then find out even more about you, or even discover the answer to your security questions helping them break into other accounts such as your online banking.

As such it’s recommended to keep your social media profiles private, and if you use multiple online forums to use a different name and password for each to help prevent doxxers from compiling information from across multiple online forums and social media sites. 

Data Gathered through Brokers

Data brokers on the internet collect information from publicly available sources and then sell the data for profit. Generally speaking, they sell this data to advertisers - if you’ve ever found yourself randomly receiving emails from companies you’ve never heard of before, this is why. However, for a doxxer it could be an easy way to start building a detailed profile of their target.

How Might Doxing be Used Against Your Organization?

For organizations to be successful with their media strategies they necessarily need to share relevant information and regularly engage with their customers through social media channels. This provides a substantial opportunity for doxxers.

By combining publicly-available data with basic attack techniques, such as phishing campaigns or credential stuffing, malicious actors can uncover large quantities of supposedly secure data. For consumers, exposed information could lead to identity theft or public shame. Meanwhile, companies face the prospect of large-scale reputation damage or lost revenue if proprietary project briefs or intellectual properties are leaked to the public.

Additionally, doxing can be used as an incentive to expedite the resolution of ransomware attacks. This is where the cyber attacker threatens to release documents or information to the public should their target not pay the ransomware fee promptly. This adds to already serious financial implications.

How Can you Prevent Doxing?

Unfortunately, it's nearly impossible to completely remove personally-identifying information from the internet, especially parts which are part of public records. Still, there are some tips to reduce your attack surface.

Keep your profiles private 

People and organizations do have a lot of say as to what gets published on the internet. Make sure to practice general data privacy best practices.

• Avoid posting identifying information

• Keep all social media settings at the most private level, and don't accept friend requests from people you don't know

• Change the settings on Office and your phone's photo app so personal info isn't embedded in those files

• Use a "burner" email address for signing up for accounts when possible.

• Set the ‘whois’ records on any domains you own to private

• Ask Google to remove personally available information about you, and request the same from data broker sites

Implement Safe Browsing Measures

These steps are good internet hygiene in any case, but can also prevent a breach that can lead to your info being exposed to a potential doxxer:

• Use a VPN, especially when using insecure public Wi-Fi networks

• Switch to a secure email system with built-in encryption

• Vary your usernames and passwords

Self-Doxing

Humans remain the weakest link in the security chain. In most cases, malice isn’t the problem or the intent when someone lets a threat actor in. Instead, employees overshare personal data on corporate platforms by accident or use insecure third-party applications. In both cases, however, following the breach and identifying the potential compromises is difficult when IT teams start from the side of defenders. 

By flipping the script and looking at your organization from the view of potential doxxer it becomes easier for IT and security teams to spot key areas of weakness. They can then develop strategies and staff training programs to protect against them.

Final Words

Doxing represents a growing threat to organizations and individuals. However, by self-doxing with security intelligence gathering strategies, security teams can create accurate attack surface maps. With this intelligence, they can then enhance threat modelling and deliver actionable insights to staff to reduce overall risks.

Using OSINT software like Signal you can learn about potential threats as or before they occur, learn about potential exploits targeting your organization, and self-dox to help identify weaknesses and shore-up defences.

Ransomware is a form of malware which is installed on a victims device or devices with the main objective of seizing and/or locking away sensitive data. As the name suggests in order for a victim to regain access to their data and systems they need to pay a ransom. More often than not, the two options a victim is presented with when they succumb to a ransomware attack is to either rebuild their systems from scratch and potentially have the attacker leak the data online - or pay up.

As such, it’s unsurprising that, in our increasingly digital age with more and more data on the cloud, that the number of attacks and the success of ransomware attacks is on the rise. Approximately 58% of ransomware victims paid in 2020, compared to 39% in 2017.

Ransoms for these kinds of attacks range from a few hundred dollars to thousands or even millions of dollars payable in cryptocurrency such as Bitcoin. In return for the payout, the attackers will release a decryption key allowing the organization to return to business. Certain industries, such as government organizations and hospitals are more susceptible to ransomware attacks due to the nature of the work that they do often being time-sensitive. For example, a ransomware attack crippled a hospital in Germany, leading directly to one patient’s death.  

There are numerous strategies that ransomware attackers employ to gain access to a victims database. One of the most common though is through social engineering tactics, such as phishing emails. Cybercriminals can make these emails look exactly like trustworthy emails from official sources, tricking victims into downloading compromised software onto their device. 

Because of the nature of social engineering tactics, and the evolving cyber threat landscape no organization can ever be fully secure from malware threats. Below we outline 12 of the biggest ransomware attacks that occurred in 2020.

12 Ransomware Attacks that Happened in 2020

1. ISS World 

Estimated cost: $74 million 

In February of 2020 ISS world, a Denmark based company went down due to a ransomware attack. Thousands of employees were left without access to their systems and emails. This cost them an estimated $74 million which includes regaining control of the affected IT systems and re-launching critical business systems. 

2. Cognizant

Estimated cost: $50 million

A ransomware attack on the organization Cognizant in April of 2020 is said to have cost the company over $50 million, potentially as much as $70 million, including legal and consultation costs and data recovery costs, along with the financial loss reflected in their second-quarter earning in 2020.

3. Sopra Steria 

Estimated cost: $50 million

The company Sopra Steria revealed that they were hit by hackers using a new version of the Ryuk ransomware in October.

They estimate that the fallout, including dealing with the various systems that went out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

4. Redcar and Cleveland Council 

Estimated cost: $14 million

Redcar and Cleveland Council in the UK suffered an attack on their systems in February of 2020 costing the council an estimated $14 million.  The ransomware attack is said to have disrupted the company’s network, tablets, computers, and mobile devices for 3 full weeks. The council announced that in March, that it could take months for a full recovery and estimated the overall costs to be between $14 - $21 million.

5. Software AG

Estimated cost: $20 million

Software AG is the second-largest software vendor in Germany. They were reportedly hit with the Clop ransomware in an attack in October of 2020. The company disclosed that the ransomware attack disrupted a part of its internal network but didn’t affect customer services. The cybercriminal group responsible demanded a $23 million ransom.

7. Travelex

Estimated cost: $2.3 million

It was reported that Travelex the money exchange firm was hit with a file-encrypting malware attack which shut down its internal networks, website and apps for several weeks. Reportedly Travelex paid a ransom of $2.3 million in BTC to the dark actors to regain access to their data and restore services.

8. University of California San Francisco (UCSF)

Estimated cost: $1.14 million

UCSF was targeted by a malware attack which encrypted servers used by the school of medicine impacting students in June of 2020. The ransomware was prevented from travelling to the core UCSF network and causing more damage. The authorities negotiated with the cybercriminals and UCSF ended up paying approximately $1.14 million in ransom of the $3 million demanded. 

9. Shirbit Insurance 

Estimated cost: $1million

After a cyberattack on the Israeli Insurance provider Shirbit in December of 2020 the attackers demanded roughly $1 million in Bitcoin. In order to pressure the company into paying they demanded immediate payment or an increase in the ransom cost, doubling after 24 hours. Additionally, to show they weren’t empty threats they dumped the first 300 records online, again threatening to dump additional records every 24 hours until they received payment.

10. Communications and Power industries 

Estimated cost: $500,000

California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. Reportedly, CPI paid $500,000 to obtain the decryption key to unlock their servers and return services.

11. Grubman Shire Meiselas & Sacks 

Estimated cost: $365,000

Grubman Shire Meiselas & Sacks is a law firm that specializes in law for those in the media and entertainment industry. Their clients consist of a range of A-list celebrities and, with such high profile individuals on the line, the stakes for them were extremely high. They were targeted and files encrypted by REvil ransomware. The firm agreed to pay an estimated $365,000, however, the attackers started demanding more afterwards and the company has since kept quiet on what it has or is willing to pay.

12. Tillamook County 

Estimated cost: $300,000

Tillamook county in the US was attacked by cyber attackers in January. The attack interrupted their email network, phone systems and website. After exhausting alternative options, they estimated the costs to restore service would cost well over $1 million and take several years and opted instead to pay the $300,000 ransom. 

Keeping your data and organization secure

1. Never click on suspicious links or any links attached in unsolicited emails. 

2. Back up systems and data continuously. Create a separate data-backup in an external hard drive that is not connected to your computer, so that you don’t have to pay the ransom if a ransomware attack happens.

3. Never disclose personal information over the phone or over email. 

4. Educate employees of cybersecurity best practices and social engineering tactics that may be used against them.

5. Limit employee access to sensitive data to reduce attack surfaces.

OSINT Tools and Mitigating Costly Ransomware Attacks

Early warning of data beaches through OSINT tools can help you predict and prevent cyber attacks as well as enable organizations to take mitigating actions faster. While open-source intelligence tools can’t prevent ransomware, they can help organizations reduce the risks and potential damages. 

OSINT tools can be used by organizations to monitor their supply chains, allowing them to learn of potential disruptions in real-time and enabling them to implement contingency plans fast. 

Additionally, organizations can use tools like Signal to monitor for ransomware and malware currently being used. This can help security teams determine emerging threats being used against other organizations in their industry to better inform ongoing cybersecurity best practices.

Ultimately, by using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

What is Organized Retail Crime (ORC)?

Organized crime continues to be a growing concern for the retail industry. 97% of those surveyed said they've been victimized by ORC in the past 12 months. When we talk about ORC, we aren’t talking about a few teenagers slipping sunglasses into their bags. We are talking about the substantial theft or defrauding of a retailer by an organized group of people as part of a larger criminal operation.

The primary objective of these criminals is to turn a profit. This means their theft is rarely, if ever for their own personal use. Instead, they employ strategies such as obtaining illegitimate refunds for stolen goods, thefts of credit card information from vendors, or reselling those aforementioned stolen goods. 

Typically for these organizations to operate profitably they need to steal in substantial quantities. In fact, it is estimated that retailers had an average loss of $703,320 per $1 billion in sales directly due to ORC in 2019. The scale of the organized retail crime operations can be devastating for retailers and are responsible for billions of dollars worth of losses each year in the retail sector. 

Many factors play into this, including rising felony thresholds that reduce the risk for ORC criminals. In addition, respondents say ORC gangs are becoming more violent. And over 2/3rds of those questioned said they’d seen an increase in ORC activity.

Types of Organized Retail Crime

There are two main ways that retailers are targeted. This is either through retail fraud, where the threat actors implement one of many fraudulent strategies to make a profit at the harm of the retailer. Or they steal product from the retailer and resell it usually through e-commerce channels or even dark web commerce sites.

Fraud and Organized Retail Crime

Refund or Return Fraud - This is when an individual or group returns merchandise they stole for cash or credit from the store. An alternative strategy involves attempting to return counterfeit merchandise.

Counterfeit Money - Groups use counterfeit money to make numerous purchases from across a range of stores to avoid suspicion. Then they return the products for real cash or they sell the product online. Alternatively, they might purchase gift cards and then sell those on for real cash.

Serial Number Fraud - The organization might legitimately purchase goods and then sell the serial number for a replacement claiming it has broken. Often, replacement goods are sent before the damaged ones are received by the retailer. They can then make a profit off of the fraudulently claimed item.

Gift Card Fraud - There are a few ways that gift cards can be used by organized retail crime groups. First, a stolen credit card could be used to buy gift cards. Second, gift cards often have fairly simple serial number sequencing, attackers can learn the sequence of the cards and when they are legitimately loaded, make a clone of the card to sell or use themselves.

Credit Card Fraud - Because of the amount of transactional data that retailers have they are a prime target for hackers. These hackers could be looking for credit card data, banking details, or simply, personal information data. This they will likely sell off to the highest bidder through a dark web marketplace rather than use themselves.

Theft and Organized Retail Crime

Mass Shoplifting - This can take various forms. One, a group goes around separately to various different retailers and boost a substantial amount of merchandise without anyone noticing. Alternatively they might take a smash and grab approach, where a large group rush into a store, grab what they can, and rush out just as quickly. Potentially making off with thousands worth of goods.

Robbery - This is when an individual or group targets a specific retailer, often for cash in the till. This kind of robbery can be violent and safety should always be the primary concern for the retailer. 

Smash & Grab / Burglary - Organized retail crime groups have been known to target high-quality retail stores for high-value merchandise they know they can profit from. For example, designer clothing, electronics, and jewellery. This could involve smashing the front window with a brick or a more subtle entry involving access through air vents or by manipulating an employee to gain access after closing.

Cargo Theft -  One of the key strategies employed by organized crime groups is the theft of cargo. Cargo is defined as merchandise that has yet to reach its final destination. Examples of this include theft from warehouses or from lorries whilst they are in transit. This allows for the criminals to steal large quantities of goods in one go. 

73% of retailers surveyed said they've been a victim of cargo theft in the past year. En route from distribution center to store is the most commonplace for cargo theft to occur.

Improved Situational Awareness for Preventing and Mitigating Threats Associated with ORC

To combat the threat of organized retail crime, 65% of retail executives surveyed said they were prioritizing ORC more now than 5 years ago. To do this 56% said they have or plan to allocate additional technology resources to fight risk and 44% said they would be increasing their loss prevention budgets (source).

Loss prevention strategies include more stringent return policies, better gift card serializing, electronic article surveillance, and improved video surveillance. To improve the overall effectiveness it’s also important to support loss prevention teams with accurate and up-to-date intelligence.

Using OSINT tools like Signal you can quickly become aware of and mitigate damages from a range of potential threats from organized retail crime such as: 

• Cloned gift cards for sale on the dark web.

• A conversation suggesting cargo was going to be targeted. 

• Data breaches of sensitive customer data.

• Plans for after hours break-ins.

• Product serial numbers found for sale on Telegram.

• Stolen goods found online.

There are numerous threats that could evolve to seriously impact an organization, from natural disasters, to acts of terror, to targeted attacks on executives. Currently though, tensions around the US election are high on both ends of the political spectrum. There has been an increase in polarization of political views and even militarization of the public in recent months, and many Signal customers have expressed concern.

For many American’s this is seen as the most important election of their lives so far. Fears of voter fraud and voter suppression are rife, which is reflected by an unprecedented number of early votes being cast with more than 90 million votes already cast a week before the election, more than two-thirds of all the votes cast in 2016.

This, paired with a deadly pandemic and a summer of protests, many of which became violent, and one can see the potential for civil unrest around a contentious presidency. To mitigate this risk organizations need relevant intelligence as events unfold to ensure they take the necessary precautions to protect their employees and assets.

As such, we have created advanced tools to enable Organizations to be alerted as early as possible to issues and current events, such as the Election, where the possible fallout could have an impact on their employees and assets.

Monitoring Election Threats in Real-Time Using Signal OSINT

Using Signal security teams can learn of events as they are happening or even before they happen, allowing effective response plans to be enacted, effectively neutralising potential threats. 

To do this users can create custom searches using Boolean Logic to filter intel from key web sources such as social media, the open web, and the dark web. Intel from these sources often acts as an early indicator alerting Signal customer to potential issues in real-time. The data can also be reviewed by our emotional analysis solution for increased data analysis efficiency.

Signal has real-time SMS and email alerting for high-risk threats so that companies can maximise available response time. Once alerted to potential risks the security team can form a final judgement on the threat level and decide whether action needs to be taken.

Final Words on Threat Monitoring with Signal

Threat monitoring isn’t just for events such as a contentious election. COVID-19, earthquakes, storms and other extreme weather events, and even threats of violence against specific executives, can all affect an organization. Signal OSINT software enables security teams to scan a vast number of surface, deep, and dark web channels and sources to gain real-time data on a broad array of emerging threats. 

Anonymous social media forums like 4chan or dark web forums are often where threat actors go to communicate and organize. And social media is often where you can learn of current events as they unfold. So whether it’s customer data for sale online, or an active shooter situation in-store, security teams armed with OSINT can quickly assess and respond appropriately to mitigate risks and damages.

Only when an organisation has a complete picture that incorporates the variety of potential risks and has invested in specific responses and contingency plans can it adapt as needed to mitigate the impact of extreme events.