The scourge of social engineering
Social media platforms are a social engineering resource for hackers. Andrew Tang, service director, security, MTI Technology outlines the problem and what is required to guard against it
Andrew Tang, service director, security, MTI Technology
Today, social media platforms are no longer just a forum for online chat but an important every day work and communication tool. Facebook alone has more than a billion users, while social media business platform LinkedIn has more than 400 million users.
Going after the big guns
A well-publicised incident was a three-year social engineering campaign carried out by Iranians. It targeted US military officials, diplomatic and congressional staff, and defence contractors in the country and abroad.
The Iranian spies used Facebook, LinkedIn, Twitter and Google+ to carry out a sophisticated attack. They developed fake social media personas and posed as recruiters from major international companies including Northrop Grumman and General Motors. The targets were largely in telecom, government and defence industries.
When a connection was established emails were sent to victims with malware hidden in links and attachments. The aim was to get the target to download malware into their computers which would give the hackers access to highly sensitive information. The striking thing about this social engineering-based attack was its scope and sophistication. It's certainly not an isolated event; for some cyber-criminals it's a career path.
You don't need state resources or an encyclopaedic knowledge of psychology and social media surfing habits. You don't even need to be well-versed in the dark arts of black hat coding. All you need is a bit of patience to trawl the web and the knowledge that too many people put far too much information online than is necessary.
It doesn't take much to create a complete profile including place of work, employment history, address, age, family, likes, dislikes, bank, shopping, recent purchases, family members, their locations and so on.
All information to create a complete profile can be gleaned within a few hours. There are even open source tools designed to help trawl social media platforms and scoop up as much information about any one individual as possible.
This information can be used for targeted phishing attacks at a place of work or brute force password attacks on a company's network. Personal information is gathered on the ‘target' from social media and a phishing email is sent to their place of work.
A phishing email is usually mocked up to look as though it's from an organisation the target has recently dealt with. For instance, the victim may have posted something about his or her brand new iPhone, so the hacker creates an email that purportedly comes from Apple with a message about the phone. A link in the email is clicked by the ‘target' and malware is downloaded into the retailer's system. This provides the means for a hacker to steal the contents of a customer database.
This data is put up for sale on a deep net website that trades in credit card and identity information. The hacker is set to make hundreds of thousands of pounds for a task that in all likelihood took a few days to carry out.
A need to click
Organisations today are, by and large, aware of cyber-threats that come from malware such as trojans, viruses and to some extent, ransomware. However, many haven't yet fully grasped the implications of social engineering with people freely giving away information and casually downloading files from the Internet. As a result, education and awareness programmes for employees can make a significant difference.
At the very least, education programmes will hammer home the point that there are cyber-criminals circling corporate firewalls who are only too keen to get into the network.
Education will make employees aware of sophisticated phishing techniques and how sharing too much of their personal information on a social media platform could well provide the starting point for a crippling network attack.
This can also make personal practice tighter so they don't post workplace information or inadvertently reveal pathways to corporate crown jewels.