Swatters use data brokers and stolen information on the dark web to target C-suite and board members. Removing personal information from the web is the best way to minimize this risk.
At around 8:45 pm on February 1, 2023, a caller to the Groveland, Massachusetts, 911 emergency line told dispatchers that he harmed someone in a home on Marjorie Street in the upscale small town 34 miles north of Boston. The caller also said he would harm first responders, too.
Groveland police chief Jeffrey Gillen summoned the police, fire, and emergency mutual aid of the nearby towns of Ipswich, Rowley, Topsfield, and Haverhill. Police evacuated neighboring homes around the house on Marjorie Street but soon found out that the call was a hoax, a “swatting” incident designed to draw significant police presence to a targeted location. So far, no arrests have been made.
This incident is part of a growing surge in swatting attacks across the country, including yesterday, when swatting threats were leveled against nearly a dozen school districts in Michigan and multiple schools in Southern California. Swatting, which derives its name from the specialized police forces known as SWAT teams, is a highly dangerous prank that has caused many accidental injuries and even deaths.
Coordinated precision attacks against corporate executives
Prank phone calls to police have existed for decades, but swatting in its more dangerous form took hold in the early 2000s when the FBI warned of the “new phenomenon.” It has become a popular revenge technique among gamers. One gamer even incurred a prison sentence for orchestrating a swatting incident that led police to kill a man in Kansas.
Swatting has affected many high-profile individuals, from Hollywood celebrities and music industry stars to political leaders and even cybersecurity journalists. Now, according to digital executive protection company BlackCloak, swatting incidents are reaching the top ranks of Fortune 500 companies, with unknown bad actors targeting C-suite executives and corporate board members.
The company is announcing today that over the last four months, its threat intelligence team has identified a surge in doxxing and swatting of executives, board members, and other high-profile persons. These incidents use information from the dark web, data broker information, company website “about the leadership team” pages, and property records. The recent attacks have been heavily focused on the healthcare, biomed, pharma, and esports gaming industries but have expanded in recent weeks to other sectors.
“What we’re seeing right now is very, very different,” Chris Pierson, a former DHS advisor and the founder and CEO of BlackCloak, tells CSO. “It’s a coordinated precision attack against corporate executives.”
Information retrieved from data brokers, data breaches
The way it works in this new corporate swatting surge is that the malicious actors go to the websites of corporations, identify the top executives and board members, and with lists in hand, visit the websites of data brokers such as 411.com, Spokeo, and others. While there, the swatters grab whatever they can – names, addresses, phone numbers, email addresses, whatever is available. It is a “one-stop shop for finding the locations of executives and corporate officers,” says Pierson.
Alternatively, the threat actors plumb the archives of content aggregated from thousands of data breaches over the years. The swatter can easily find out that an executive “ordered new jogging shorts or whatever” and where those shorts were shipped, he says.
Once the cybercriminals have that information, they do one of two things: use synthesized voice devices or make robotic recordings and call the police. The messages generally focus on a hostage or murder situation. Pierson says a sample recording might be “there’s a hostage situation, murder situation, two people are dead at One Main Street or One Beacon Street, Boston, Massachusetts. Get there quickly. We need help.”
Regarding executive swatting, “We are seeing this with more frequency,” Pierson says, and “the trend is unnerving.” That is why BlackCloak is issuing a press release alerting corporate America to a phenomenon that his firm has seen accelerating over the past five or six weeks.
“I think it’s become much more dangerous. And, we’ve been communicating privately with our relationship partners on the inside of the companies that this is now something about which everyone needs to be much more sensitized.”
Steps to lower swatting risks
BlackCloak has no insight into why swatters would be targeting corporate decision-makers but does think it’s an organized campaign. “We don’t know what the motivation is. It could be things associated with current events, or it could be to cause chaos,” Pierson says. “But we don’t have a definitive motive.”
Absent a clearer picture of who the adversaries are, Pierson’s advice to corporate leaders is to “number one, remove your personal information from data broker sites however you do it, but remove it.” Number two is sharing less personal information. “Decrease the amount of stuff you are sharing,” he says.
The third thing to reduce the risk of swatting is: “Alter the information that is on the [company] About Us page, so it does not include the, ‘Hey, I live in Newton, Massachusetts with my wife Sally, and my dog Muffy, and my three kids.'” Moreover, “make sure that if you’re a publicly traded company that within SEC reports you remove mention of family, residence, home residents, family members from any publicly filed documents.”
A more difficult recommendation offered by Pierson is for executives and board members to register their homes not in their own names but in the name of a trust or an LLC. “Now, the only problem with that is if your homes are already registered in your name, you can never erase it from the record.”
Pierson offers no details on which of BlackCloak’s clients have been hit with swatting attacks. However, he did say the areas that have been clusters of corporate executive swatting since the beginning of the year include Boston, Chicago, San Francisco, and Los Angeles.
“A lot of those companies we’re protecting are located in those areas, so we’re seeing that. But, there is a lot more activity happening in some of those big geographic areas,” he says. Given the widespread and coordinated nature of the campaigns, Pierson thinks we will likely see some of these cases coming out in local police reports soon.
By Cynthia Brumfield