Now that we’ve discussed what an onlooker can glean from monitoring a person’s browsing activity, let’s talk about exactly how an attacker would go about the process.

We’ll start by looking at how to gather Passive Information Leakage coming from a competitor. First, identify a number of people of interest within the company, including senior management, engineers, marketers, HR, etc. There are many ways to get these lists, but they could come from people you already know, the competitor’s website, as well as membership lists of industry organizations and attendee lists of appropriate conferences. If the list does not already contain it, it is not difficult to find, buy, or social engineer the email addresses for everyone on the list. We sometimes are able to get competitors to volunteer this information by keeping some of our pages behind a registration wall.

With email addresses in hand, the next step is to connect them to the user via IP address and cookies. There are services to track emails you send using invisible images, and they will provide you with the IP address and time each email was opened. Alternatively, it is not too difficult to create your own; just edit your signature to include a remotely loaded graphic (your company logo works great).

Rather than pointing to the image directly, point to a script to which you can pass an identifier, or set up your website to redirect any path in a given directory to the image. Using the re-direct method, the link might look like <img src=”http://mycompany.com/foo/12345″ /> where 12345 is changed for each email sent. Any URL starting with http://mycompany.com/foo/ will end up loading the logo, so the number at the end simply provides tracking.

By looking in my web logs, I can see the IP address of anyone who opened by emails. I can do the same by sending uniquely marked links to content, and capturing the user’s identifiers when they click the link. Either way, as soon as the target visits my website with a browser, I can use cookies to capture the browser fingerprint, which allows me to recognize them when they come back again, even from a different IP address.

The next step is to setup my logs to capture all visits by identified competitors and output information sorted by individuals or groups within the company. A simple web bug in the header template for the website can make this capture easy and automatic. Standard log analysis products will allow me to see user click trails and average time spent on each page in my website.

That’s it—that’s all that is needed to learn a tremendous amount about competitors and their plans.

Passive Information Leakage – Part 5
Passive Information Leakage – Part 3