As cybercrime is all about monetary gain, attackers know that the more intelligence they gather about their targets the easier it is to achieve a compromise. On the other hand, most people voluntarily share large amounts of personal information on social networks without fully appreciating the risks. In this post, we’ll find out how hackers use social media to profile targets and how you can protect yourself and your business.
Social media is all about sharing, whether it’s photos from the latest conference, overseas holiday or an important life event, or just trivia about your daily routines, the name of your pet cat, favourite soccer team or TV show; it’s all data that has value to someone. That someone may be a company that wants to sell you a new brand of cat food or an advertisement for a new season of that great TV drama, or it may be cybercriminals engaged in a spear-phishing campaign. The truth is that data from social media is a prime commodity, and that truth holds for hackers and threat actors just as much as legitimate marketeers.
Social media profiling, building a composite of a person’s identity and lifestyle from publicly available information, is just the latest trick in the cybercriminal’s armoury.
Mining social media for clues about people and their interests is a technique widely used by governments, businesses, and now threat actors. It is part and parcel of today’s reality of interconnectedness. Just as a marketing department may employ legitimate techniques to identify audiences that will be receptive to their brand message, attackers can use the same methods to identify likely targets, too.
So what kind of information can be gleaned from social media profiling? That all depends on how much you share. If you share a detailed CV or resume online, that’s gold dust to profilers. If you likewise share information about special events, names of family members, places you’re visiting and such like on social media, that can add up to quite a detailed composite picture of you, your lifestyle and your background, particularly if that data is harvested over an extended period of time.
If you’re trying to use social media to market yourself, the advice on how to do that effectively is also going to make you easy to profile. For example, using the same handle across social media platforms makes you easy to find. If you’re jane-marie-smith on Facebook and you’re @jane-marie-smith on Twitter and Skype, then it’s a good guess that your email is [email protected], [email protected] and so on.
Similarly, it’s good for personal brand marketing to include a profile picture that’s a headshot, but that picture also identifies you to bad actors, and provides them with a picture they can scrape and use to impersonate you. With AI tech that can now generate entire bodies of people that don’t exist, using an algorithm trained on tens of thousands of online photos, that may be more convincing than you might realise.
Marketing gurus also suggest that you share a narrative about your bio, including achievements and interests, and give advice such as this:
“if this is a business-related profile, you’ll want most everything to be public…don’t forget to interlink your profiles to each other. Many networks have places to include links to other networks, and you can and should use them whenever possible”
Making it easy for the good guys also makes it easy for the bad guys.
Social media profiling was big news last year, when it emerged that Facebook had allowed a private company, Cambridge Analytica, to harvest data such as location, birth date, page likes and public profiles from tens of millions of users without their consent. A recent TED talk by a British journalist brought to light just how that information could be used to encourage a person in a particular location to make a certain electoral choice.
For criminals looking to steal either data and/or money, the very same kind of profiling can be used to craft targeted advertisements and phishing emails that can carry malware to infect the user’s machine. The techniques are identical; only the “payload” differs.
Sites like LinkedIn encourage users to be comprehensive in the details they provide as that can help in job recruitment, but that can also lead criminals to victims under the seeming pretext of offering employment. Such was the modus operandi of one hacker group, allegedly Lazarus APT, that infiltrated Redbanc, the ATM consortium for Chilean banks. A LinkedIn advertisement for a software developer turned out to be a front for the hacker group. They interviewed an employee of Redbanc over Skype and convinced him to open a malicious PDF that was supposedly an application form. The resulting breach in December 2018 went undisclosed until the following month.
It’s not just “business” sites where you have to think about what you share. What about online gaming communities? Millions of people play and chat within MMORPG game environments, and statistics suggest that only around 26% of them are teens. The rest are adults (average age: 26), employed (50%), married (36%) and have children (22%). But those percentages aren’t the point. The fact that those percentages can be gathered though, is. How much data are you giving away to online gaming providers and how secure is their handling of your data? When even the “big boys” like Sony get hacked, there’s every reason to believe that smaller outfits with large amounts of valuable data on millions of users are also likely to be targeted by threat actors.
There are several steps you can take to protect yourself and your business. Let’s start with the common sense ones.
First, you should be treating all solicitous contacts with a dose of healthy scepticism. Verify claims of acquaintance from people you have not met, and consider whether details included in unsolicited correspondence are details that you’ve made publicly available. Caution is your number one defense, and conversely, a lack of it the main reason why phishing and spear-phishing attacks are successful. That’s because despite all the attacker’s hard work, the success of a phishing or spear-phishing campaign depends on one crucial factor: the intended victim’s cooperation. Therefore, even when you have been profiled by threat actors, you are still in control.
Second, ensure your company has in place protections against malicious Office and PDF documents, such as with a modern ActiveEDR security solution, and be sure to report any suspicious phishing activity to your IT or security department.
Third, review the information you are sharing on social media. Do you really need to give away all those details on LinkedIn? Perhaps you could still make yourself attractive to potential employers without giving away quite so much detail. You can always offer further details upon request, and of course verify contacts that actually do make those requests.
Finally, learn a lesson from the developer who was duped over Skype and from these unwitting system administrators: don’t run programs provided by others. If you must open a file from an unknown source, check it with a reputable security software solution first; better still, use an automated security solution that will autonomously block and quarantine files that try to execute suspicious code.
Sharing on social media has the great advantage of helping us to connect with others, whether it’s for business or personal reasons, with all the benefits that that can bring: new friends, new jobs, new experiences. Unfortunately, there’s always the possibility of bad actors lurking who will use that information for their own gain.
It’s important to remember that prior to the advent of the modern wired world, we were all reasonably careful about our personal information. We didn’t go around sharing details like our birth dates, jobs, and favourite animals with just anyone, and certainly not with just about everyone, as we do now via the internet. That was because prior to the advent of the connected world, we all implicitly understood the boundary between what was personal and what was public. Social media has broken that boundary down, but therein lies the danger. When it comes to cybersecurity, boundaries – and caution – are essential elements of defense.