The Targeted Attack Potential of Vanity Web Searches

We all like knowing what other people are saying about us. That’s why vanity searches—searching the web for the mentions of one’s name—are so popular. Companies do it too by setting up alerts o see what is being discussed about them in social media, on blogs or elsewhere on-line. Such “egosurfing” practices can also be used to target the individual or the company with a client-side or a social engineering attack.

The promise of revealing information about the person—offering either gossip or actionable intelligence—can act as a powerful lure. Consider what happens when you see a new mention of your name in Google on some web page or a discussion forum. “Cool,” you think to yourself, “I wonder what they are saying about me.” Then you click the link to go there.

Mass-Scale Vanity Search Attacks

Peter Tzor once described an experience of encountering a fake anti-virus scam when searching for his name in Google to locate an old photo from a conference. That malicious website aimed to attack as many people as possible, drawing in potential victims with black hat Search Engine Optimization (SEO) techniques. By clicking a link in Google search results, the person visited the website, which attempted to social-engineer him into installing malware.

Targeted Vanity Search Attacks

Knowing that many individuals and organizations conduct vanity web searches allows an attacker to target a particular entity, say the targeted company’s CEO. A commenter outlined this approach in response to my earlier post on monitoring social media for security references to your organization:

“All one would have to do is create the site with the key flags (CEO name, Company name, etc.) and watch the logs until Google does its indexing. Once indexed by Google, post the nastyware on the site and wait for the CEO to follow the alert they get.”

By noticing a new reference to the monitored or searched-for name, the person would likely visit the malicious website and be subjected to a client-side attack or a social engineering scam. I bet this technique can be no less effective than emailing the potential victim a malicious link or an attachment. Why go to them when you can lure them to come to you?

Should we give up the practice of vanity web searches? I know that won’t happen. But perhaps it’s worth exercising extra caution when visiting the websites that show up the next time you egosurf.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more