One uncomfortable reality of the social media era is that the information that we are so freely sharing online is actually providing cybercriminals with a treasure trove of information that they can use to make their malicious attacks more believable...and therefore more successful.
Which means that the 3 billion active social media users are potentially directly feeding cyber-criminals information that they can – and do – use to build increasingly effective campaigns that target them.
Simply by applying information that is publicly available, cyber-criminals are having great success with their data-fueled social engineering scams and the resulting phishing attacks.
While there are numerous ways that social media data can be exploited, one attack method in particular that we want to shed some more light are the business-related phishing messages that appear to be from a known contact.
When these phishing scams are built with real data gleaned from social media, they are very targeted. And because they are so targeted, they are also increasingly difficult to detect and more likely to fool the recipient.
How Social Media Profiles Are Being Used to Build Phishing Campaigns
The bottom line is that social media sites for both individuals and companies are a great source of intelligence, both for those with and without malicious intent.
Social media sites in general are built around the idea that the more you share and the more engaged you are, the more enjoyment you get out of participating in the network. There are many implications to this foundation that we aren’t going to delve into. But where that becomes highly relevant as it relates to this topic is that because their business model encourages sharing, the privacy settings of most of these sites are not stringent by default.
While this seems to be changing based on the recent focus around data privacy, the fact remains that many users pay very little attention to the privacy settings, leaving them set to those weaker defaults.
As a result, cyber-criminals can gather all sorts of useful information by reading posts and researching users. They can map out a company’s org chart, and really get good at understanding what topics are more likely to resonate with an individual.
To be fair, what modern cyber-criminals are doing is not unlike what modern marketers and business development professionals are also taught – that the more you can personalize your message, the greater the chance that the prospect will open it/read it/take action against it.
The difference of course is that the worst-case scenario from one group are some unwanted phone calls or emails, whereas the worst-case with a click on a malicious link can be very bad indeed, including lost data, expensive downtime and even damage to your brand.
Social Media Recon in Action
So how does this get put into practical application?
By gathering information from public profiles and/or brand pages, hackers can learn a ton about you, and construct very sophisticated and believable phishing emails.
User profiles contain information such as birthdate, place of work, relationship status, family connections, schools attended, interests, hobbies and more. This can be used to build out your profile and then grab the answers to account security questions such as your mother’s maiden name, your favorite pet, your high school mascot or children’s dates of birth.
Not that long ago there was an online quiz circulating that asked about concerts you’ve been to. Shortly after, a warning circulated to alert online users that this “fun” game on social media potentially had a malicious goal of tricking users into providing information that is a commonly used security question. At the very least, it posed an unnecessary security risk and was to be avoided. That's just one example of many.
And if you think it’s nonsense that a criminal would take the time to research individual people, keep in mind that the trading/selling of your private information is a complete black market industry these days. There are people out there who make a living harvesting this kind of personal identifiable information (PII) – and there are plenty of tools that help to automate the task.
All they’re trying to do is solicit that 1 click on a bad link in an email -- and when their campaign is highly targeted, there’s that much greater chance they will succeed in tricking their victim into doing so. Which means they're going to use every bit of data available to them; and thanks to social media, there is no shortage of that!
Business Email Compromise Scam
One specific variant of this is known as a Business Email Compromise (BEC) scam.
A major factor impacting this specific social engineering scam is the power structure and the fact that people are generally conditioned to defer to those of a higher authority. So when a request appears to be from the CEO, COO, CFO or another business leader, the recipient is unlikely to question it.
When that request is for an immediate wire transfer – as BEC scams often are -- and the recipient complies, that damage can’t be undone.
This is relevant to the data mining of social media sites because, as mentioned previously, it’s not that difficult to map out the leadership team within a company, and then target employees known to manage the money. By hacking or spoofing the email of a business leader and sending a request that way, they have a great advantage because we know that people are much more likely to open an email when it comes from someone within their organization.
And when that email appears to come from their boss or someone even higher-up, the likelihood that it will be questioned only decreases.
The FBI issues continuous warnings about BEC scams, and just recently announced the takedown of a large international network.
The More You Share…
We aren’t advocating a social media blackout; however, it’s important to acknowledge the risks and do an honest evaluation to determine if you might just be putting yourself at risk. That goes for businesses and individuals.
While there’s no going back from the connected world in which we live, it is important for every end user to clearly understand both the threats and vulnerabilities, and how to protect both their personal and business data. Because the reality is that social media sites are a perfect gateway into your network through social engineering, malware and phishing attacks.