Exploiting Trust In Social Networks

We’ve written before about social networks being used in phishing attacks, and in the FBI’s most recent e-scam warning, “Cyber Criminals Continue to Use Spear-Phishing Attacks to Compromise Computer Networks,” they reiterate that message:

“…Often, the e-mails contain accurate information about victims obtained via…data posted on social networking sites…This information adds a veneer of legitimacy to the message, increasing the chances the victims will open the e-mail and respond as directed.” Because of their growth and popularity, it has become imperative for businesses to look at social networks not just from a marketing perspective, but for security’s sake as well.

Social networks and social media are incredibly useful, whether for promoting your business and connecting with your customers, for building your professional network, for staying in touch with friends and relatives…or for just wasting some time when you’re supposed to be putting together a Powerpoint presentation…ahem. BUT, they can be incredibly useful for nefarious purposes, as well, and from many different angles.

facebook_logoThe most obvious issue with social networks, as the FBI has pointed out in the above-linked alert, is that these outlets offer a vast amount of open source intelligence. I always get a little chuckle out of my friends and family who get outraged each time Facebook/Instagram/whoever makes changes to their EULA or privacy statements…when I then look at their pages and see they haven’t even taken advantage of the settings available to them. Your Facebook profile, or your kid’s, or your spouse’s, or your mother’s probably contains a hefty chunk of your personal information facing the public. Whether it’s where you work, who you vote for, the name of your first pet or your anniversary…well, you get the hint.

As we’ve been monitoring the usual suspects, though, we’ve seen outright attacks, above and beyond passive intelligence gathering, taking place:

linkedin-logo1) How often do you receive a message from a recruiter on LinkedIn with a link to an opportunity that’s “perfect for you based on your experience at xyzlmnop?” How often do you check out that recruiter’s creds before clicking that link that could very well be serving up a nice dollop of malware? And checking the
recruiter out only really does you any good if the attacker set up a dummy account like in our other post. What about credible recruiters or other contacts whose accounts have been compromised? With the ever present no-no of password reuse, that’s a very real possibility.

234px-Twitter_Logo_Mini.svg2) Even businesses that don’t utilize social media for marketing or customer service purposes need to be vigilant and routinely monitoring. How hard would it be for me to stand up a Facebook or Twitter account purporting to be representative of your business? Exactly. We’ve seen firsthand this sort of attack aimed at the customers of smaller banks and credit unions. I’d even be sure to warn you not to post any of your account information on the page, or on my Twitter feed…you should send that to me in a private message so it’s “safe.”

The FFIEC and FDIC have both recently chimed in over the last several months with guidance directing financial institutions to develop social media policy, encompassing acceptable use as well as monitoring. So far, it’s just guidance, but it’s only a matter of time before that changes to compliance requirement. I’d also expect a bigger focus on awareness training for employees and customers. The problem with that, as always, is finding quality training…which I’ll leave for another post (but you should check out my boy, Michael Santarcangelo, he’s a beast).

There are a LOT of folks out there claiming to be offering the next best thing in “Social Media Threat Intelligence.” *buzz buzz buzz* Just like with everything else, just giving you a data dump doesn’t do anything other than create more work for you. Intelligence is worth something, but let’s admit…this is all freely available OPEN SOURCE INTEL. Analysis of that intelligence is where the real value is. If you have the manpower, and your organization is already using one of the marketing platforms that aggregates social noise, get your infosec team access to it. If you don’t have the ability, consider outsourcing (insert self-serving plug here). Talk to your marketing department about splitting the cost to make it more affordable. The marketing folks get it, as evidenced by a recent post on Search Engine Journal, “Protecting Your Social Media Accounts from Phishing.” Double your pleasure, double your fun.