Social Networking, In The Eye Of The Hacker, Attacker And The Cyber Criminal
Sharing Online Content
It is great to share a link to a website and grab your friend’s & contact’s attention. But you never know that hackers are always with bated breath to such content, and you cannot think of what kind of reaction will they have? For example, if you share or like a website that does battle with some position taken by your government, for instance, agents of that government will immediately take an interest and target you for additional investigation or direct custody. So, if you want your contacts and obviously the administrators of the social networking platform you use to be the only ones who can view the things you share or mark as useful, then make sure you check your privacy settings.
Competitive Intelligence Gathering Through Company Advertising
Hackers hired by organizations are able to gather information about their competitors through social media platforms, websites, search engines, employment AD’s, social engineering employees, press releases and annual reports.
To wrap up with the discourse, it’s worth sharing the real-life happenings of how the cybercriminals and hackers have used the information gleaned from the social media sites to breach corporate organizations and individuals as described in the ensuing accounts.
One would recall that social media sites or platforms like LinkedIn encourage users to be comprehensive in the details they provide as that can help in job recruitment, but that can also lead hackers and cyber criminals to victims under the seeming pretext of offering employment. Such was the modus operandi of one hacker group, allegedly called Lazarus APT that infiltrated Redbanc, the ATM consortium for Chilean banks. A LinkedIn advertisement for a software developer turned out to be a front for the hacker group. They interviewed an employee of Redbanc over Skype and convinced him to open a malicious PDF that was supposedly an application form. The resulting breach in December 2018 went undisclosed until the following month. (Source: www.sentinelone.com)
Again, a study by the University of British Columbia analyzed how cybercriminals might use a few personal details to build an entire network designed specifically to steal Personal Identifiable Information (PII), and use it to surprisingly devastating ends. For this particular study, a team of students built a "socialbot" with 102 Facebook profiles to see how fast and how deeply the bot could penetrate a group of random Facebook users and capture sensitive information. Results of the eight-week campaign are as follows:
- The socialbot built an extended social network of one million people, successfully friending 3,055 individuals from a total of 8,570 invites sent - a mind-boggling 35% acceptance rate.
- Once the socialbot made some friends, it in turn targeted those friends' friends. As the bot's network grew, so did its friend-acceptance rate - that is, as its pool of friends expanded, the bot's robust circle of pals made it seem more trustworthy and therefore more "friendable."
- The bot collected 250GB of personal data, including 35% of all the personally identifiable information found on friend pages, and 24% from extended friend-of-friend networks.
These findings are both astonishing and daunting. It's particularly unnerving that even if you're discriminatory when accepting friend requests, all it takes is one of your friends to slip up-the afore-noted weakest link-and all of your information could be in the hands of cybercriminals.
If a dozen university students doing a side project can compile this much sensitive information, just think what sophisticated cybercriminals might accomplish. And, if one of the largest, most trusted social sites is this vulnerable to account hackings and personal data-mining, malicious infiltration of fraudulent accounts can happen to any site, on any scale, to anyone. (Source: www.socialmediatoday.com)
As a remedy, the writer would want to suggest the following to be used to address the breach of networks and leakage of information through social media.
- Organizations and employers should restrict access to social networking sites from organizations network.
- Organizations and employers should consider restricting access to the use of personal emails on corporate networks since that can also be a conduit for attacks on corporate networks through phishing.
- Educate employees to use pseudonyms on blogs, groups, forums and social media groups.
- Employees should not reveal critical information in press releases, annual reports, product catalogues etc. for marketing purposes or during information dissemination to the public.
- Enforce security policies to regulate the information that employees can reveal to third (3rd) parties.
- Educate employees about various social engineering tricks and risks.
- Individuals and organizations should regularly review and update the privacy settings in their social media or networking accounts.
- Do not click on suspicious or untrusted links in emails, social media pages, groups and forums etc.
- Do not open suspicious mails or mails from untrusted sources.
- Do not open attachments in suspicious mails from untrusted sources.
- IT security/Cybersecurity departments within organizations should have an oversight responsibility of reviewing and scrutinizing every information that the organizations intends to put in the public domain and ensure it pass compliance test before allowing it in the public domain.
- Use strong passwords for all your accounts (Email, Social Media, and PC etc.) and do not use the same password across all social media sites.
To sum it up, remember that social media platforms are not just for chatting with friends or gaming, it is also a business hub for hackers to spread their malware and steal user information. Hackers are becoming more and more refined and are now looking to create a healthy and trusted relationship with their prey that helps them in gathering more details about their target before attacking them. Thus, be circumspect of what you share on social media, review and update your privacy settings on social media and make sure never to share your password with anyone on social media. Always ensure you use strong passwords on all your accounts and do not use same password across all social media sites and other services. So be aware of the cyber-crimes and hacks happening in the cyber world and smartly survive on the internet.
Author: John Dadzie, Member of Institute of ICT Professionals, Ghana, National Health Insurance Authority (Network Engineer)
Contact: [email protected] ; 0244503883