Leave a 5-Star Review, Get Arrested

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans; Ashton Engineer Emeritus

The riot activity in Philadelphia following the death of George Floyd resulted in millions of dollars in property damage. Included in the damage to buildings and property were police cars that were set on fire. One of the arsonists was apprehended through some interesting police work using publicly available information and social media. This article details how the arsonist was found. I am going to hit the high points to emphasize what you need to be concerned about, even if you haven’t committed a crime.

What You Post Online Stays Online

The physical description of the arsonist came from news video, video footage on Vimeo, and pictures submitted to the FBI by photographers who were on site. The arsonist was wearing a mask, goggles, and gloves. She had a distinctive t-shirt, and a tattoo was visible on her arm.

The t-shirt was found on the website Etsy.com. A 5-star review from “alleycatlore” from Philadelphia caught the investigators’ interest. Searching other websites turned up a user named “lore-elisabeth” on Poshmark.com. Searching LinkedIn.com found a person named Lore Elisabeth in Philadelphia who worked as a massage therapist. A video on the company website showed her giving a massage, and a tattoo matching the one in the riot footage was clearly visible. The FBI was able to trace the phone number on the website to an address for a person named Lore Blumenthal. Records subpoenaed from Etsy.com showed delivery of a t-shirt identical to the one in the riot footage to the Blumenthal address.  She is now in custody.

What is the lesson here, other than setting fire to police cars is a bad idea? A little old fashioned searching on the web can reveal a lot about you, your employees, and your company, perhaps more than you would care to have known. While the searching here was done by law enforcement to prosecute criminal behavior, they didn’t employ anything unique to law enforcement until they got down to subpoenaing some information. They probably could have gotten what they needed in other ways (social engineering) if they didn’t need to follow legal protocols to obtain legal evidence.

You Are A Target. Like It Or Not.

You might feel that you or your company is not a target worthy of such investigative efforts on the part of bad guys. You are not wealthy or your company is not very big. Keep in mind that many ransomware attacks result in demands based on what the victim can (or the attacker thinks they can) pay. Also, you may not be the actual target the bad guy is after. In many cases, it’s not an immediate connection, but rather three degrees of separation. The city of Griffin, Georgia lost $800,000 in a BEC (Business email compromise) scam. The point of entry for the scam was a vendor that did regular business with the city. The vendor network was compromised and used to scam the city. Would you like to be the entry point for an attack on one of your biggest customers?

What Should You Post?

The case of Lore Blumenthal should be an object lesson for individuals and businesses alike. The more information about you, your business, or employees that is available online, the easier it is for the bad guys to come up with something that they can use to social engineer their way into your network. Obviously, you need an internet presence these days, but what should that include? Should you have a biography of all your senior officers including educational institutions attended, hobbies, fraternities, etc? Is that kind of information needed to do business? You need some contact information and probably titles. The fact that the president of the company breeds collies and is a member of the AKC probably does not help convince people to order the widgets your company makes. Likewise, your employees posting information about who got promoted and who is in charge of wire transfers is probably not going to help make people want to do business with you, especially if that information is on Facebook.

Do you check the internet to find out what someone could find out about you, your company, and your employees? From the technical side, you get a penetration test done. This is a process where your network is checked for weaknesses that attackers could use. The last line of defense in any network is the people on it. Social engineering is the weapon used against them. Information about them is the ammunition for that weapon.

It would be useful to know if your policies (you do have them, don’t you?) about what can be posted publicly are being followed. If someone is publicly posting information that should remain within the company, this is something that can be used in a social engineering attack. As in the Griffin, Georgia case, the attackers had information that was accurate to use as a basis for setting up the scam. When the attacker has information that makes them seem more legitimate, they are more likely to be successful.

I suspect that Lore Blumenthal didn’t expect a review that she posted would lead to her arrest. It just shows that information can be obtained from anywhere and used for any purpose. Even if you can’t contain it, you need to understand where it is and how it can be used.