We all like knowing what other people are saying about us. That’s why vanity searches—searching the web for the mentions of one’s name—are so popular. Companies do it too by setting up alerts o see what is being discussed about them in social media, on blogs or elsewhere on-line. Such “egosurfing” practices can also be used to target the individual or the company with a client-side or a social engineering attack.
The promise of revealing information about the person—offering either gossip or actionable intelligence—can act as a powerful lure. Consider what happens when you see a new mention of your name in Google on some web page or a discussion forum. “Cool,” you think to yourself, “I wonder what they are saying about me.” Then you click the link to go there.
Mass-Scale Vanity Search Attacks
Peter Tzor once described an experience of encountering a fake anti-virus scam when searching for his name in Google to locate an old photo from a conference. That malicious website aimed to attack as many people as possible, drawing in potential victims with black hat Search Engine Optimization (SEO) techniques. By clicking a link in Google search results, the person visited the website, which attempted to social-engineer him into installing malware.
Targeted Vanity Search Attacks
Knowing that many individuals and organizations conduct vanity web searches allows an attacker to target a particular entity, say the targeted company’s CEO. A commenter outlined this approach in response to my earlier post on monitoring social media for security references to your organization:
“All one would have to do is create the site with the key flags (CEO name, Company name, etc.) and watch the logs until Google does its indexing. Once indexed by Google, post the nastyware on the site and wait for the CEO to follow the alert they get.”
By noticing a new reference to the monitored or searched-for name, the person would likely visit the malicious website and be subjected to a client-side attack or a social engineering scam. I bet this technique can be no less effective than emailing the potential victim a malicious link or an attachment. Why go to them when you can lure them to come to you?
Should we give up the practice of vanity web searches? I know that won’t happen. But perhaps it’s worth exercising extra caution when visiting the websites that show up the next time you egosurf.