The use of social media like Twitter, Facebook, Instagram, Tumblr, Google Plus, LinkedIn and others have been steadily growing. It is used not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, and even politicians with their constituents. Social media platforms have become a forum for sharing all manner of expression on all subjects.
Businesses need to take special care in their security training regarding all social media, however Twitter and LinkedIn are particularly fertile sources of information for hackers preparing for a social engineering attack. Both of these social media platforms have high adoption rates in a business setting.
By gathering benign information about a company and “name dropping” in a DM (direct message) conversation, attackers may build a level of trust with insiders and thereby gain secrets. Employees post seemingly innocuous information on Twitter that may be readily and easily gathered and assembled by an adversary. For example, photos of office space and co-workers, descriptions of work (My jerk of a boss makes me fill in his TPS report every Friday #ihateexcel), and names of customers or clients, all reveal enough information for an attack or to recruit unwitting accomplices.
This technique is often used in operational penetration testing. It goes something like this:
An employee receives a call from a person claiming to be a new guy from a different office, and then claims that their boss is yelling at him to give them a weekly TPS report. The person claims that they are having trouble with the macros. Finally, the person asks if the employee could please forward a copy so they could copy the formulas… The employee, feeling sorry for the person on the other end of the phone, sends the file and the mission has been successful.
Businesses should implement policies that are well-“socialized” around the office with the following components:
Twitter and LinkedIn are great tools for business, which, if used properly by well-informed employees, won’t be a gateway for hackers. Don’t let hackers exploit you via social media. Download the “Keep Them Puzzled” poster now.