Social media engineering is an epidemic. The 2020 Trustwave Global Security Report analyzed a trillion security and compromise events and concluded that “social engineering reigns supreme in method of compromise.” Through 2019, “half of all incidents investigated by Trustwave analysts were the result of phishing or other tactics, up from 33% in 2018.” A good amount of these social engineering tactics are centered on email. But social media engineering attacks are on the rise, making up an increasingly large portion of breaches. A recent report from Verizon revealed that 22% of all data breaches included social attacks as a tactic.
Social engineering on social media doesn’t happen at random. Bad actors carefully select their victims, locking in on targets they regard as high value due to their title and organizational role. And the profiling of social media engineering targets pulls in a wide range of cloud channels. Cyber criminals do their research. Just as businesses use social media to gain valuable insights into their target audiences, bad actors use profiling techniques to identify and learn more about potential targets. In fact, cybercrime is increasingly mimicking the practices of legitimate organizations to find, profile, and connect with high-value targets.
Social engineering and Social Media: The Danger of Oversharing
Within the context of cybersecurity, oversharing is less about posting inappropriate details on social media, and more about creating a detailed public profile of oneself. This detailed profile is extremely valuable to would-be attackers.
Cybercriminals are patient. They routinely trawl through social networks to identify high-potential targets, before learning more about them by scouring their public profiles for details on their history, their job, their activities, their interests. To that end, the more people post about themselves on social media, the easier they make things for criminals. Much like businesses create detailed audience personas, phishers develop extensive profiles of their targets.
This profile development can be frighteningly easy. In an episode of the Zero Hour podcast, Brian Honan, CEO of BH Consulting in Ireland, offered an eye-opening example of how easily social media can become a “goldmine” for cybercriminals drawing up victim profiles. BH Consulting offers a red teaming service. “As part of any engagement we do for our clients," Brian explained, "one of the first things we do is we go onto LinkedIn.” There, the red team begins hunting down information shared publicly through the accounts of staff members. "By looking at profiles, we’ll know what technologies are being used in the company, because of all the certificates that they’ve received from different vendors,” Brian explained.
With one of their clients, BH Consulting quickly discovered a leak of confidential information: “On one project manager’s LinkedIn profile, they listed about 2-3 projects that they’ve worked on... So they had the project names, linked back to the clients. And when we communicated that back to the company's Head of Security, he goes: ‘How did you know that company was a client of ours? And how did you know we’ve done that work for that client? We’re on a strict confidentiality agreement with that client, promising not to disclose any work that we’ve done for them.”
The staff member in question was not acting maliciously. But this was confidential information which, in the wrong hands, could be used as valuable profiling information to help launch an attack using social engineering. A bad actor could take this information and use it to maliciously win the trust – and manipulate the actions – of a potential victim.
Podcast: Listen to the full podcast where Brian Honan
talks about Infosecurity and People
Attack of the Imposters
The danger with such personal and confidential information being accessible to attackers is that it gives them what they need to put on the digital mask and start impersonating a legitimate entity for nefarious ends. It gives hackers an easy way to pose as legitimate companies or individuals which the victim either knows personally, or instinctively trusts.
Again, LinkedIn is a popular vector. Real companies routinely use the platform to find potential employees, prospects, partners, investors, and other valuable connections. Attackers know this, so they’re doing exactly the same thing under the guise of an honest operator. To that end, criminals often approach their victims in just the same way as companies connect with their customers. To establish trust, they display personal knowledge of the target. When someone reaches out to a would-be victim while making it clear that they’re familiar with specifics like job roles and routines, there’s a far higher chance of success. Armed with a raft of detailed information gathered from social media profiles, scammers are much better positioned to masquerade as trusted individuals.
Once again, such approaches are often worryingly successful. As another element of their red teaming, Brian’s team at BH Consulting targeted the CISO of the company whose security they were stress-testing. They discovered that the CISO had been tweeting about a talk he gave at a conference some months earlier. After sifting through the tweets, Brian’s team created a fake LinkedIn profile, posing as a large cybersecurity conference. They reached out to the CISO and asked if he would be available as a keynote speaker. The CISO was responsive, sharing his email address and more. Within 12 minutes, he was compromised.As Brian explained: “Once you’ve made connections to people on a social media account’s private messaging feature,” the door is opened to all sorts of attacks. And a company “might have good built-in security software to detect suspicious emails and suspicious websites. But a person might access a link via instant messaging, and that may not be covered by any of your security tools. It’s a nice easy way into the core of your systems.”
Protecting Your Business from Profiling and Social Media Engineering
Digital data is the world’s most valuable commodity. The entire business model of social media revolves around collecting data to sell on to advertisers. From the perspective of cybercrime, this presents a vast attack surface on which said data may be leveraged for nefarious ends.
While well-meaning businesses and individuals use social media as an opportunity for engagement, the criminal uses social media engineering to plan and launch attacks with far-reaching consequences. While it’s hardly desirable from a business perspective to avoid social media altogether, there are some ways to use it safely:
- Ensure you have full visibility into all brand channels, and executive accounts where necessary.
- Enforce the principle of least privilege by ensuring that only employees who really need access to your branded social media accounts have access to them.
- Train your employees to keep them informed about the latest cybersecurity trends, threats, and to be mindful about what they post on their own social media accounts.
- Implement an overarching data-governance policy that makes clear what employees can and cannot post on social channels (including their own).
Above all, businesses need to educate their employees on the responsible use of social media, not only for the brand’s sake, but for theirs as well. People must be mindful about what they post on their social profiles and learn to be every bit as skeptical about interactions as they would be about a dubious email. Empowered by that knowledge, and the right technology to manage digital risk, brands can reduce the likelihood of suffering an effective social media engineering attack.
Whitepaper: Download our latest whitepaper to learn more about protecting
your brand’s social media accounts from malicious actors today.