Social media seems harmless enough especially when your employees stick to using it for personal reasons, but it can indirectly be responsible for critical security breaches. With some social engineering and patience, an attacker can use personal social media profile information to gain access to your corporate network. The attack is completely outside of your control and uses a combination of social engineering and phishing techniques.
Gaining Access to Employee Information
Let’s start the attack from the beginning. Let’s assume that your company employs 50 people. Most of these people (as you can guess) use Facebook as their main social platform. We’ll stick to just one platform for simplicity, but many employees have multiple different platform accounts.
The attacker’s first step is to perform a little reconnaissance and read through your website to gather some names of active employees. The attacker could also check to see if the company has a Facebook page. Most companies ask their employees to “Like” their Facebook page. This gives the attacker an additional list of employees. He might not get all 50, but he can identify at least a dozen or so employees and their Facebook accounts.
In addition to obtaining at least a handful of employee Facebook names, many of these employees also have a public friends list. This means that the attacker can see a list of friends associated with your employees’ accounts. This can be used to discover other employee accounts, but your employees’ friends list is also a part of the attack.
Next, the attacker sends friend requests to several people including employees and their friends and families. In some cases, the attacker will just friend the friends of your employees. Many people add contacts to their Facebook accounts without asking questions, and the attacker just needs to find a couple of these targets. The goal is to be added to as many contact lists as possible because Facebook will then recommend the attacker in the “People You May Know” section of their accounts.
After the attacker adds some friends of your employees, he can now send friend requests to your employees. Many people see that the friend request is associated with other friends and accept the request. At this point, the attacker is now on your employees’ Facebook accounts where he can gain access to a wealth of personal information.
Just some highlights of what the attacker can get from a Facebook account:
- Maiden names
- Date of birth
- Where the employee was born
- Where they went to college
- Sibling names
- Pet names
- Kids’ birthdays
Taking the Attack to the Next Level
At this point, the attacker has several options. He can take this information and use it to either directly attempt a brute force password attack on the user’s account (not common), or he can use better, more subtle ways to gain access to the network. This is where the attacker turns to phishing.
In some cases, the attacker wants the account of a specific employee with higher level credentials. This type of attack is called spear phishing. The attacker can identify these employees either through social media or on your site.
One of the more common ways the attacker can gain access to the network is to then use the personal information to create an articulately composed phishing email. This email could look like an official request for the employee’s username and password or could also have a malicious attachment that drops malware on the local computer. The attacker could even bypass the computer and just call the employee in an attempt to obtain the user’s password verbally.
If the phishing attack is successful, then the attacker now has the employee’s username and password. With credentials in hand, a variety of malicious activities are possible: remote control the employee’s local computer, use the information to steal data from the network, or send emails to higher level executives for access to critical documents.
Social Media and Phishing Costs Millions in Damages
Since the attacker uses an official employee’s credentials, the breach can continue for months. By the time the organization figures out that there is a breach, there could be millions of dollars in damages.
Hackers don’t just target private companies either. They target government entities and critical infrastructure like energy and utility organizations. Last year, a Ukraine power plant fell victim to a targeted attack in which the attacker was able to access an employee’s credentials and take control of the local machine. The result was power loss for thousands of Ukraine residents as the attacker took critical systems offline.
In the US, a hospital was forced to pay $17,000 in bitcoins to attackers that placed ransomware on the network using malicious attachments in email.
These two attacks have one thing in common: the attackers were able to obtain email information for targeted employees that had access to critical systems that could then be used for malicious purposes. The Ukrainian hacker inconvenienced thousands of people, and the hospital attacker was able to extort money from the victim.
Regardless of the attacker’s intent, the result is high-value damage to the organization as they are forced to clean up after the breach. There is also damage in brand reputation as the story unfolds in the media, and all of this can start from employee exploitation through personal social media accounts.
What Can You Do?
Since the attack starts with social media, the organization is limited with what it can do to stop the attacks. The best advice is to educate users on the dangers of social media and phishing emails. You can install software on your email servers that check attachments for malicious content. And some email administrators simply block all executable attachments.
Macros are disabled by default on current Microsoft Office software, but users should be educated in the ways macro viruses work and how disabling macros can help users avoid falling victim to this type of malware.
Monitoring systems can also be put in place to detect suspicious behavior on files across the network. These systems alert the administrator when file access from internal or external users is unusual.
Social media is a part of online marketing for most businesses, so it has many advantages in the marketing world, but it’s a huge security concern for network protection. The best defense is a great offense. Be sure to beef up your security awareness training so that security is top-of-mind for all employees. Consider spear phishing your employees and employing social engineering tests to continually measure how vulnerable your organization is to these types of attacks.