Phishing just got personal – avoiding the social media trap
18th Feb 2014 | 10:00
Phishing is the hacker's new weapon of choice
200 million LinkedIn users. 288 million Tweeters. 1 billion Facebookers. Social media is everywhere and with its rise, the IT landscape has drastically changed – and so has the nature of the cyber threat.
Certain attacks have always been successful – historically, figures like Kevin Mitnick have identified ways of penetrating the organisations they are after.
While statistically, the number of hacks is reducing, the impact has become much more severe and the tools more sophisticated than ever.
A weapon of choice for hackers in this evolving threat landscape has long been the phishing attack.
With public awareness of the scams rising, cyber criminals have moved from trying to dupe unsuspecting users into submitting their personal details directly via generic emails to much more targeted attacks.
One of the most complex and convincing types of attack is 'spear phishing'. This type of attack works by generating a dossier on the individual, with the intention of compromising their specific IT equipment or account – and this is where social media becomes a great tool for phishing scammers.
Snippets of information we upload may not appear to contain much information. However by collecting and assembling information across different networks, cyber criminals can create a bigger picture.
By trawling the internet, cyber criminals can piece together information including date of birth, current responsibilities, previous jobs, education, phone numbers, personal information, likes and dislikes as well as personal and professional connections.
Using this information, the hackers fool the victim into believing the email is from a source they would expect or hope to receive messages from.
Once the victim clicks on the link or attachment in the email, malware is downloaded and deployed on their computer, potentially infecting and compromising the entire corporate network.
To prevent hackers from gaining access to corporate networks and information, it is crucial that businesses educate their employees about the scale of the threat posed by the information they post online and deploy the necessary defences against such threats. They must also ensure that their security posture is as mature as their threats require it to be.
While there is no doubt that social media sites such as LinkedIn are great resources to promote yourself and to network with like-minded professionals, it's sadly not just prospective employers gathering these details.
If a cyber criminal identifies you as having elevated security privileges or expertise in an area, they are specifically looking to gain information about these details, which can be enough to make you a target. If your profile shows these kind of specialisms, it is probably best to avoid mentioning the names of colleagues.
Be careful who you add to your network as this allows hackers to easily identify your connections if they are targeting you personally.
Equally, to prevent your identity from being stolen it is crucial to limit the amount of personal details you share. You might even consider hiding your real name – if new contacts in your network genuinely need to get in touch with you, you can simply introduce yourself via a private email.
It's not just professional accounts that are being targeted with ever more sophisticated attacks. Many phishing scammers can now create fake Facebook 'Like' buttons on websites. A pop up then appears and you are asked to login via Facebook.
But it is not Facebook – it's a site held by the phishers who now have all the information they need to log into your actual Facebook account. To avoid this, only login to your Facebook directly to 'Like' an article.
If phishers do succeed in hacking into your social media accounts they can use them as a platform to send links containing malicious software to your contacts.
Worse still, as they have access to your previous messages and conversations, they can include personal information and even your own wording to make their scamming emails appear more genuine.
To avoid this, ensure that you regularly update your passwords and contact people privately via email, text or instant messaging services to minimise the risk of your network receiving malicious links.
As a rule once you publish any information on the internet it will likely stay there, even if you remove it from a particular site or network.
Even if websites have privacy restrictions it is possible for aggregation sites which gather data from multiple sites to capture this information. And the more information about you is out there, the more likely it is that someone will connect the dots and take advantage of your online presence.
The lesson is clear: be mindful about what information you publish on social media sites. It sounds obvious, but employees are still not doing enough to limit their online profiling.
The chance to promote yourself online is great, but this shouldn't be at the risk of your personal identity being stolen, or even your colleagues finding themselves at the receiving end of a phishing scam. Social media is the ultimate weapon for phishing hackers. The cyber threat is real – and now it's personal.
- Jason Kalwa is a cyber security consultant at Thales UK.