“Starbucks Stalkers”

In a new twist to an old game, criminals engaging in corporate espionage are hanging out in Starbucks coffee houses in order to steal the laptops and PDAs of employees who work for targeted companies.

More Security Articles on CIO Upate

The Five Most Common Misconceptions of Enterprise Security

Misconception No.1: Over-Relying on Network Defenses

Misconception No. 2: Believing the Hype of Technology and Tools

Misconception No.3: Too Many People Assumptions

Misconception No.4: Assuming Secure Software is Costly

Misconception No.5: The “Recency” Trap

If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading.

Allen Bernard, Managing Editor.

FREE IT Management Newsletters

“It’s not people looking to get their hands on a new laptop, it’s people looking to get their hands on the data of specific company,” said Ed Adams, CEO of Security Innovation. “So it is a form of a targeted attack, a targeted social engineering attack, taking advantage of Starbucks and the proximity to companies.”

In the past six months, Adam’s firm has been retained by two very large, East coast companies in an effort to reverse engineer what happened to their employee’s laptops and to help put in place measures to thwart future incidents.

Inside Job

The way the attacks work is an employee at the targeted firm is identified—usually an executive. His or her habits are tracked. When they frequent a nearby Starbucks, the perpetrator waits and watches. As soon as the opportunity to make off with the target’s laptop opens up—like when they go to place an order—the laptop is swiped.

“I remember reading (something) not too long ago where people would actually stake out certain Starbucks knowing that people from Company ‘X’ frequented it at lunch time just looking for laptops …, said Dave Marcus, Security Research and Communications manager for McAfee Avert Labs and the man who coined the term “Starbucks Stalkers.”

“That’s not exactly high-end crime. It’s really dumpster diving when you come right down to it.”

How widespread the problem is is hard to define since many targets will see the theft as a one-off incident; never connecting the theft to the data, said Andrew Berkuta, senior security evangelist at McAfee.

“If we look at the animal kingdom, we’re just going to our favorite watering hole,” said Berkuta. “Again, it’s conservation of resources, (criminals are) not going to track (a target) across a complete city if they know they’re going to the same coffee house.”

And it’s not only the loss of the laptop and it’s data that is a problem. Using the target’s contact lists, customer information, forms and other documents, criminals are launching very successful, surgical phishing campaigns that net a very good response rate because the recipients think they are dealing with a trusted source.

Berkuta calls this “barrel phishing” because it’s “just like fishing in a barrel.”

“Given a thread of truth in a phishing (attack), either a letter like a postal letter or an email or some type of document that somewhat looks legitimate, people may act on it in a higher hit rate than just sending a mass mailing,” said Berkuta.

Two other somewhat less targeted—but no less dangerous—attacks are also taking place at Starbucks, said Adams.

One is what he terms “Starbucks Skimmers,” where culprits bring in RFiD readers to snag the name and credit card numbers off of cards that have RF (radio frequency) chips embedded in them; like many new bank cards and the Mobil SpeedPass type of key fobs.