Social Media Engineering
When we want to share our family vacation pics or an amazing dinner we’re about to eat, to catch up on what’s going on with friends and family, to see what’s happening in the news, or have discussions on different topics, where do we go for all that? Facebook, Twitter, Instagram, Pinterest, LinkedIn and other social media platforms. We use it every day, and for some of us, we can’t live without it. It’s also something organisations are now relying on for growing their business and strengthening and growing customer relationships.
We have become so reliant on social media that we tend to trust it, thinking we are amongst friends. So, if a friend posts, “check out this deal on Groupon,” you’re going to trust that it’s from them.
But, the same platforms that we’ve grown dependent on and love and trust are being weaponized against us. Cyber criminals are taking advantage of the trust that we have in social media sites and have been using them to gain access to sensitive information, access corporate and government networks, attempt to influence government elections, and more. So, they’re not only used against individuals and companies but also against governments and national security agencies.
Social media is being used as the catalyst for these attacks and it doesn’t matter where you live; everyone is at risk. An article by AMEinfo, which covers the Middle East and North Africa, references a study that reported, “most of the breaches stemmed from social media platforms. LinkedIn accounted for 30 per cent of the total leaks while MySpace and Tumblr were responsible for 21 per cent and 8 per cent of the total credentials respectively.” In India, The Economic Times reported that, “A recent report by EY on ‘Cybercrime Incidents in India’ highlights how social media is emerging as one of the biggest risk zones for cyber-attacks, with 90% of the 160 top executives responding to the survey, identifying it as a major source of cyber-attacks.”
So, how are attackers using social media as a weapon, what is making this form of attack so successful, what are they after, and how can we protect ourselves?
How have attackers weaponized social media?
For spear-phish attacks and directed attacks against a company or perhaps against a department, they have used social media for reconnaissance. On LinkedIn, one can find out what employees work for the company and what department they are in. Platforms like Facebook, Instagram and Pinterest are where one can typically find personal information on targets.
For some attacks, the criminal will set up a fake account to impersonate someone such as a key executive or another employee. They will add a photo of the individual being impersonated and build up their followers. They can then start establishing trust with other employees in the company by sending friend requests and following other employee accounts, all while communicating using keywords, hashtags, @ mentions, and relevant lingo that was acquired through the reconnaissance. Another, but more difficult, way they can attack is by hijacking someone’s account.
For a less targeted attack, cyber criminals will send out a mass communication through a platform’s built-in messaging such as LinkedIn’s InMail or Facebook’s Messenger. By posting shortened URLs, they get potential victims to click the link.
Another form of attack has involved Bitcoin. In an article by ZeroFOX, they broke it down into 4 main categories. Fake Bitcoin wallets, Bitcoin phishing impersonators, Bitcoin-flipping scams and Bitcoin pyramid schemes. For the fake Bitcoin wallets, scammers post a promise of Bitcoin if an app is downloaded (of course the app isn’t real) or post a fake Bitcoin survey. The impersonators pose as the Bitcoin brand itself. The flipping scams, the article states, “could be an offer to instantly exchange Bitcoins for money after paying an initial startup fee or a promise to double your initial investment overnight. Scammers succeed because they’re able to broadcast their scam to thousands of unsuspecting targets through social media.” Then the pyramid schemes, as the article states: “In these ethically grey schemes, a low initial investment can be multiplied by signing up additional members using referral links. New members are then encouraged to do the same, rinse and repeat. Before long, hundreds of victims have joined the scheme.”
Finally, cyber-criminals also use social media to pass along compromised data, exchange ideas and to connect.
What’s the payout for these attacks?
Once attackers have hooked someone and the target clicks the phishing link, it goes to a malicious site that may harvest credentials or download malware, and the attacker has just established a beach head into the network. Now they can further their attack, worming their way through the network or they can let the malware sit there silently. Why would they do that? Well, a package of data offering access to infected computers will be bought up quickly on the black market by other criminals for installing keylogging software for gaining access to online banking or network access or installing ransomware. A CSO article discusses some other reasons as well for leaving access dormant then selling it. It states that older accounts are more credible (ageing an account can add legitimacy) and dormant accounts are more likely to fly under the radar between attacks, which appeals to other cyber criminals for conducting their attacks.
Once the attacker has compromised the target then they will have access to whatever they want, such as gaining company and government secrets, money, possibly influencing the election process in countries. The 2015 Anthem Health attack yielded cyber-criminals 80 million records and the Pentagon’s data breach yielded an undetermined amount of data. A NY Times article pointed that through “a group of soldiers posting online, attackers could watch location changes to discern troop movements or engage directly in conversations to try to ferret out military decisions.” This is what happened in the Ukrainian conflict where Russian soldiers decided to use social media and their location was discovered and broadcast all over, as was reported by Business Insider. So, the goals of the attacker are money, political or military gain, or even embarrassing a corporation.
Why are these attacks so successful?
Most people don’t think twice when they are posting on social media. They don’t think about people using the information against them maliciously. They also don’t assume people on their network might be attackers. The attacks are so much more successful because they use your personal timeline and the content you engaged with to target the message to you. So, because we trust in social media too much, we open ourselves up as easy targets.
Can we protect ourselves?
The threat is real; millions of dollars are lost and the privacy of millions of victims are compromised, so what can we do to protect ourselves? Can the threat be neutralised? I mean can’t the social media giants stop these attacks?
Social media companies try to stop these attacks but attackers continuously change and adapt their methods, making them hard to predict and stop. It’s also illogical to lock down a platform that is designed to be open, so anybody can create an account.
What we can do:
For an organisation — shore up your defences.
- Know what your organisation’s digital footprint is.
- Make sure all accounts have secure passwords that are changed regularly. If they offer it, use multifactor authentication.
- Protect your brand. Look for impersonator accounts and get them taken down when discovered. Also, search for and buy up domains that are close to the original (e.g., for abccompany.com get portal-abccompany.comand others like it).
- Use an IDS (Intrusion Detection System) and other security solutions to detect and remove malicious links.
- Have an incident response plan in place.
- How about educating the population? Teach them what to watch out for, how to properly report an incident, identify a malicious link and remind them to verify the validity of any connection requests.
- Have policies in place on what corporate information is permitted to be posted on business and personal social media accounts.
For personal accounts—
- Know what your footprint is, that is, be aware of what you’re posting. That way, you know what an attacker could use against you.
- Secure your accounts with good passwords and use multifactor authentication, if possible.
- Stop trusting anyone that posts on social media or sends a follow or friend request. You don’t have to be friends with everyone.
- Use your privacy settings. All social media platforms have them.
As long as there continues to be a huge payout for cyber-criminals they will continue to weaponize social media. By following these recommendations and curbing your level of trust in social media, (stop trusting everyone in social media) your risk will be reduced. The threat can’t be eliminated, but you can minimise the risk surface area.