Newly published research from Bromium, Social Media Platforms And The Criminal Economy, has revealed a massive blindspot in the defence strategy of the average enterprise: social media-enabled attacks. With one in five enterprises infected by malware originating from social media, according to the report, and one in eight experiencing a breach following a social media directed attack, the scale of the threat is not to be underplayed.
The report author, Dr. Michael McGuire, who is senior lecturer in criminology at the University of Surrey, states that the "sharing of malware, or the buying and selling of services, tools and data on social media platforms, is contributing to cyber-criminal opportunities."
In the UK alone, reported social media-enabled crime has quadrupled between 2013 and 2018. Globally, the research finds, the criminal fraternity is earning a staggering £2.4 billion (US$ 3.35 billion) every year. Although this total can be trimmed down somewhat if we are looking at the cost to enterprises, the £1.4 billion (US$ 1.9 billion) in illegal pharmaceutical drugs can be ignored as can the £103 million (US$ 138 million) in dating fraud. However, that still leaves around £750 million (US$ 1 billion) to be accounted for by criminality in areas that do directly impact upon the enterprise bottom line: stolen data sales of £475 million (US$ 630 million), financial fraud totalling £220 million (US$ 290 million) and cryptomining raking in £190 million (US$ 250 million).
Richard Walters, CTO at CensorNet, isn't at all surprised by all this. "We conducted some research last year where nearly a quarter of people admitted to using social messaging apps like WhatsApp, Telegram and even Facebook Messenger to share work documents" he explains, adding "criminals know this and ‘Wishing’ (WhatsApp phishing) has grown in prevalence, and they have started to impersonate a person or company to (seemingly) legitimately ask for information."
The same approach is often used across platforms Facebook Messenger to Tindr, and this consumerisation of IT is truly problematical for enterprise security teams. "Often social media is over-looked by security teams, but this is creating a blind-spot in enterprise defences" Ian Pratt, co-founder and president at Bromium told SC Media, continuing "however, enterprises are stuck between a rock and hard place when it comes to social media." He's right, of course, as banning employees from social media platforms altogether is totally impractical; that defensive horse has long since bolted. Social media is far too important to business in terms of sales, marketing, HR and so on.
Dr Simon Wiseman, CTO at Deep Secure, agrees that social media is an inescapable channel for most organisations and there’s no silver bullet to defend against its plethora of threats. "Instead, businesses must think about how they can prevent innocuous-looking content that cyber-criminals are using on these channels to initiate and control attacks from entering their corporate network" Wiseman told SC Media UK, adding, "using content threat removal (CTR) businesses can strip out all concealed and potentially dangerous information from the content that their employees are viewing or engaging with on social media."
It's easy to suggest that when talking social media-enabled cyber-crime security strategy the top of the page should have 'user awareness' writ large. Of course, that's a given but it's not enough on its own. Ian Pratt recommends deploying layered defences, including the use of application isolation within secure micro-VMs to ensure that even if a user clicks on an infected app it's contained and rendered harmless.
However, perhaps the best advice comes from Yonathan Klijnsma, a threat researcher at attack surface management specialists RiskIQ, who said in conversation with SC Media UK that it's crucial that the internal security team plays an active part in monitoring for social media frauds, as well as having very strict regulations for employees. "Strict playbooks around information that can and cannot be shared, as well as requirements to obtain information or performed actions is very important" Klijnsma insisted, concluding "key to all of this is having a strategy in place for social media enabled threats just as an organisation would for other types of threats."
In other words, if enterprises don't want to continue being blindsided by the social media cyber-crime threat then they must eliminate the blind spots. Sometimes, the most obvious answer is absolutely the right one...