The Targeted Attack Potential of Vanity Web Searches

We all like knowing what other people are saying about us. That's why vanity searches—searching the web for the mentions of one's name—are so popular. Companies do it too by setting up alerts o see what is being discussed about them in social media, on blogs or elsewhere on-line. Such "egosurfing" practices can also be used to target the individual or the company with a client-side or a social engineering attack.

The promise of revealing information about the person—offering either gossip or actionable intelligence—can act as a powerful lure. Consider what happens when you see a new mention of your name in Google on some web page or a discussion forum. "Cool," you think to yourself, "I wonder what they are saying about me." Then you click the link to go there.

Mass-Scale Vanity Search Attacks

Peter Tzor once described an experience of encountering a fake anti-virus scam when searching for his name in Google to locate an old photo from a conference. That malicious website aimed to attack as many people as possible, drawing in potential victims with black hat Search Engine Optimization (SEO) techniques. By clicking a link in Google search results, the person visited the website, which attempted to social-engineer him into installing malware.

Targeted Vanity Search Attacks

Knowing that many individuals and organizations conduct vanity web searches allows an attacker to target a particular entity, say the targeted company's CEO. A commenter outlined this approach in response to my earlier post on monitoring social media for security references to your organization:

"All one would have to do is create the site with the key flags (CEO name, Company name, etc.) and watch the logs until Google does its indexing. Once indexed by Google, post the nastyware on the site and wait for the CEO to follow the alert they get."

By noticing a new reference to the monitored or searched-for name, the person would likely visit the malicious website and be subjected to a client-side attack or a social engineering scam. I bet this technique can be no less effective than emailing the potential victim a malicious link or an attachment. Why go to them when you can lure them to come to you?

Should we give up the practice of vanity web searches? I know that won't happen. But perhaps it's worth exercising extra caution when visiting the websites that show up the next time you egosurf.

Updated February 17, 2015
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more