Cybercriminals are turning to Facebook, Twitter and other platforms to launch attacks via employee behavior that could be putting your business at risk.
Social media is a popular gateway for hackers to access corporate networks, and employee behavior is driving the trend.
Most people don’t recognize the inherent danger of social media, says Evan Blair, cofounder at ZeroFOX. They trust platforms like Facebook because they use these tools to establish connections with people, not usernames or email addresses.
People rarely approach social media with the same caution they employ for suspicious emails or shady websites. This behavior leaves plenty of opportunities for cybercriminals to take advantage of their trust and launch successful attacks.
“Exploitation of trust is always something we’ve seen, but on a device level,” says Blair. “Now we’re seeing it at a human level, which is almost a greater risk because humans are the weakest link in the cyber kill chain.”
The risk is poised to grow, says Marc Laliberte, information security threat analyst at WatchGuard Technologies. Attacks uncommon in early 2016, like malware delivery via Facebook, are a growing threat one year later. Social media threats will evolve from the “carpet bomb” era of attacks we’re currently in, to more sophisticated and convincing attacks.
There are several ways employees’ social media habits are putting your organization at risk. Here, experts discuss which behaviors are most common, the dangers they pose, and what you should do about them.
Oversharing sensitive information
Most people don’t think twice about the personal information they make publicly available. Social media accounts are “a treasure trove” of birthdates, education histories, and family relations. All of this data is commonly used in security checks for password recovery forms, says Laliberte.
“An attacker trying to gain access to your corporate email account could easily guess the password recovery questions,” he explains, citing “Who was your best friend growing up?” and “What city were you born in?” as common examples. Both answers could be found in public profiles on Facebook or LinkedIn.
Blair explains how both executives and privileged users, who have access to sensitive information on clients and partners, are at high risk of being targeted. Administrators are also key targets because they manage executive accounts and could be hackers’ gateways into an organization. While these privileged users are often the most security savvy, he says, they are also at greatest risk.
Oversharing may also lead to physical security risks, a concern especially relevant to high-ranking company officials, says Blair. Threat actors can easily determine someone’s location from a Facebook post or tweet.
“If you’re the executive of a big company, that’s opening yourself up to an incredible amount of risk,” he cautions.
Clicking every link
Open engagement is a dangerous risk on social platforms, says Blair, citing the broader issue of user trust. On social media, people are likely to click on links they would typically avoid in an email.
“There is no culture of awareness around social media security,” he notes. Blair illustrates this risk with the example of how fraudulent news articles spread on social platforms. Users who don’t read these articles and simply click “share” automatically send unverified links, affecting millions of people. This lack of healthy skepticism is driving the rapid spread of malware and ransomware, he continues.
“If your friend creates a social media post saying, ‘hey, check out this website,’ you are more likely to visit it than you would be if some unsolicited email told you to,” says Laliberte, For example, users may get a notification stating a friend has tagged them in a comment. When they click the notification, their PC downloads malware.
More cybercriminals are using social platforms like Facebook to distribute malware via phishing campaigns, and hijack accounts to distribute ransomware and malicious browser extensions. If an attacker can gain access to a user’s account, they can use it to spread their campaign through the person’s friend list.
Controversial posts
Some people like to frequent forums and social networks to post and comment about controversial topics. Their behavior, regardless of their political views, could make them hacker targets, says Laliberte.
“Hacktivist entities like Anonymous are known for specifically targeting individuals and organizations with conflicting social and political views,” he explains.
Employees who draw attention to themselves by posting controversial opinions on public forums could risk provoking cybercriminals with personal agendas. If someone tweets from their organization’s IP address or posts controversial opinions from a corporate account, they risk making their employer a target.
Blair echoes the importance of watching what you post online. “Nothing is ever private, and everything lasts forever on social media,” he cautions.
Misusing enterprise social tools
The rise of internal collaboration platforms like Slack, Hipchat, and Google Hangouts has put an interesting spin on social media risk for businesses, says Blair. This new wave of business-friendly social media runs all the same risk as Facebook or Twitter; it’s still unmonitored, but it’s sanctioned by the enterprise.
Most average employees don’t put themselves at risk for a physical attack by sharing information, he explains. The greatest risk for them is unintentionally sharing information that is damaging to the business.
This risk follows employees into business-focused social collaboration platforms, where they want to be open and share information. On Slack, for example, users may add third parties to groups because they are working on projects and want partners to engage. It becomes a problem when outsiders are in a business group and have access to sensitive data.
These employees are also at great risk of saying something in jest, and putting their organization in a liable position, says Blair.
“People won’t write certain things in an email, but they will post them on Slack, Hipchat, or Hangouts,” he explains. “That can be used as evidence against company employees.”
Reusing passwords
If you don’t use unique passwords for each social media account, an attack on one could prove dangerous for all of them. Cybercriminals frequently target social media because they contain sensitive information, and people typically use the same passwords for social media accounts and more sensitive purposes, for example, online banking.
Laliberte cites the example of LinkedIn’s 2016 data breach, which put more than 100 million account credentials at risk. From these, attackers took the credentials of a DropBox employee and were able to leak 60 million more credentials because he/she didn’t use different passwords for the accounts.
Not having an account at all
The potential cost of cyberattacks via social media may seem to outweigh its benefits. Why bother using Facebook, Twitter, or Instagram when the risk is so great?
Not owning an account, or neglecting to claim your company’s official name on social media, could prove a risk as well. This puts you at risk for brandjacking, a type of attack in which an attacker creates a social account or blog designed to mimic a specific business. From there, they can share information that conflicts with the business’ values. They may also claim a username matching a company’s brand and post fake information under the guise of an official source.
Sharing best practices
Social media security is a tricky problem for security managers to navigate because it’s impossible to keep track of every user’s social activity. However, much of the risk can be alleviated if employees follow basic cybersecurity practices: using unique passwords to limit exposure in a data beach, being wary of links posted by friends.
Businesses can start forming their social media security strategy by gaining some level of visibility into their organization guided by what’s important: what do they care about? What do they expect to do; hope to protect? How will they structure their program to manage risk?
This sets the stage for organizations to engage employees by creating awareness and training on what these risks are, and the privacy challenges on social media networks.
Laliberte notes some businesses restrict social media access to experts who require it for their jobs and are property trained in recognizing common cyber attacks. Most companies have dedicated social media employees to maintain their public online presence, and they should be trained to spot potential problems.
— As written by Kelly Sheridan on Dark Reading