Social media offers an outlet for people to connect, share life experiences, pictures and video. But too much sharing—or a lack of attention to impostors—can lead to a compromise of business and personal accounts.
Attackers often use social media accounts during the reconnaissance phase of a social engineering or phishing attack. Social media can give attackers a platform to impersonate trusted people and brands or the information they need carry out additional attacks, including social engineering and phishing.
How Social Media Threats Happen
Businesses can’t control what people do in their private lives. But unfortunately, attackers can take advantage of employees who post too much information on social media.
The methods used by an attacker depend on the social media platform targeted. Facebook allows users to keep their images and comments private, so an attacker will often friend a targeted user’s friends or directly send a friend request to a targeted user to access their posts. If an attacker can connect to several of the targeted user’s friends, then it’s more likely that the targeted user will accept the friend request based on the number of connected friends.
LinkedIn is another common social media target. LinkedIn is known for business networking, and users’ networks are typically filled with colleagues and other employees within the same organisation. If an attacker targets a business, LinkedIn is an excellent social media site to collect business emails for a phishing attack. A large enterprise could have several networked employees who list their employer and their titles. An attacker can use this public information to find several employees who have access to financial information, private customer data or high-privilege network access.
Collecting information to steal data isn’t the only reason to use social media for reconnaissance. The information posted on social media could be used to obtain passwords or impersonate business users. Many online accounts allow users to reset passwords if they enter a security question. With enough information from social media posts, an attacker could guess the answer to these security questions based on the private information posted by a targeted user.
Brand impersonation is another social media threat. With enough gathered information, an attacker can impersonate a business brand to trick users into sending money, divulging private information or provide an attacker with account credentials. Attackers also use this threat to perform cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks. These attacks can lead to more massive data breaches and business infrastructure compromise.
What a Social Media Threat Looks Like
Because many social media platforms publicly display user posts, attackers can silently collect data without a user’s knowledge. Some attackers will take further steps into gaining access to user information by contacting targeted users or their friends.
The way a social media threat is carried out by an attacker depends on their goals.
If an attacker is looking for a high-stakes reward, the best way to quickly earn monetary rewards for their efforts is to target businesses. An attacker might first review LinkedIn for a list of possible targets. Targets can be a mix of high-level corporate employees and low-privilege users who could be tricked into sending additional corporate data or fall for a phishing attack that gives the attacker access to account credentials.
With a list of targets, an attacker could then review social media accounts for personal information. Personal information can help the attacker gain the target’s trust in a social engineering attack. It can also be used to guess answers to security questions for an account takeover or used to get closer to a user with higher privileges. The names of pets, favourite sports teams and education history are all potential password clues or answers to questions used to verify the user’s identity to reset a password.
After the attacker collects all the data needed, the next step is to launch the attack. An attacker can use any of the following methods:
- Social engineering. An attacker might call employees to trick them into sending private data, proving credentials or wiring the attacker money. In a complex attack, the attacker can pretend to be a high-level executive to trick the targeted user into transferring money to the attacker’s account.
- Phishing. An attacker may use collected social media information to spoof the sender of an email message and trick users into clicking links or sending the attacker private data. A high-level employee’s email address could be spoofed with a message instructing the recipient to send money, click a malicious link or reply with sensitive data.
- Brand impersonation. Using brand employee names, the attacker can trick customers into thinking requests are from the legitimate brand. This could be used to trick users into divulging personal information or account credentials.
- Site compromise and data theft. With enough information from social media, an attacker could write malware explicitly targeting the business or perform an attack that would provide internal network access where the attacker can then exfiltrate data.
- Spread malware. Like brand impersonation, an attacker could create domains and websites that claim to be the legitimate business and trick users into downloading malware or providing credentials.
- Data breach. If an attacker gains access to account credentials, it could lead to a significant data breach targeting an organisation.
Because there are several social media platforms on the internet, an attacker can perform social engineering and phishing using a variety of threat methods. There is no “one size fits all” social media threat for an attacker. But basic reconnaissance and research using social media are the same. Any public information on private and business social media accounts could be used in further attacks.
Ways to Prevent Social Media Threats
Most social media threats stem from employees disclosing too much private and business information publicly. These accounts are personal, so businesses can’t stop users from having a social media presence. But they can educate users on the best ways to protect data and their credentials.
Education is key to stopping social media threats. Individuals can educate themselves. But businesses must conduct training programs for every employee so that they can detect and prevent social engineering and phishing. The first step is educating users on the dangers of disclosing too much information online to the public. Even social media accounts set to private could be used in an attack should the attacker gain access to private feeds. Users should never post private corporate information on their social media accounts or information that could be used in an account takeover.
Some organisations hand out mobile devices and allow users to install social media apps. These companies should provide an acceptable usage policy that determines what users can post using company devices. It’s also critical to protect these devices from malware to avoid company social media accounts from being hacked. Remote wiping software should be installed should an employee physically lose their device or it gets stolen.
Some other educational points for employees include:
- Use ad blockers on corporate devices. If ad blockers are not feasible, instruct employees to avoid clicking ads, especially on popups that instruct users to download software to view content.
- Employees should not share passwords—even if it’s within the same department.
- Attackers use fear and urgency in their engagements, and employees should recognise this tactic as suspicious. Any messages or social media posts that urge employees to act quickly should be ignored.
- Don’t accept friend requests from unknown people even if the user has several friends in common.
- Avoid using social media sites on public Wi-Fi hotspots. Public Wi-Fi is a common location for attackers to snoop on data using man-in-the-middle (MitM) attacks.
- User account passwords should change regularly. But users should also be encouraged to change their own private social media account passwords.
IT staff should have cybersecurity defenses in place to help users avoid being victims of an attack. Email servers can use artificial intelligence applications to catch suspicious emails with malicious links and attachments.
Suspicious messages can be quarantined and reviewed by administrators to determine if the organisation is the target of an attack. Browser isolation is also an option for organisations that let users browse the internet. This technology allows users to freely browse the internet, but confines personal web activity to a protected container that prevents downloads, uploads and form fills to keep threats out of the environment.