Surveying participants at the annual RSA security conference in San Francisco earlier this year, one vendor put some numbers to the social media security risk. The “Employee Social Network Password Practices a Major Workplace Risk” report found that 50% of those questioned hadn't changed social network passwords for at least a year, and 20% had never changed them. But the most shocking thing is that the survey was of security professionals; if they are that slack with social media security issues, just imagine what your average user is like.
Unfortunately, all too often, users of social media put too much emphasis on the 'social' bit and don't even consider the risk that social networking brings to a business. Across the big four networks—Facebook®, Twitter®, LinkedIn® and Instagram®—security vendor Proofpoint reports a 150% rise in social engineering last year alone. The truth is that social media 'brand fraud' is rife, with scammers defrauding those who think they are dealing with a genuine business.
This kind of phishing expedition is remarkably easy to pull off in the relaxed environment of the social network, where normal security skepticism seems to get put on hold. Typically, a fraudster will establish a likely sounding, but fake, customer support account for a well-known brand. By monitoring the real support accounts online, usually in the evening or at weekends when genuine support is likely to be much slower to respond, the fraudsters can then reach out to customers using the fake accounts. At which point, user credentials can be obtained in the name of, ironically, security safeguards. Not only are individuals put at risk, but so are the businesses behind the brands as reputational damage can be hard to contain once word starts spreading.
Human error is always an easy out when playing the blame game, but blame culture is to be avoided at all costs. Instead, educate users not to trust everyone within their social circle online and not to take messages and links at face value. The best way to do this is through example: relate how ransomware such as Locky encrypted files by embedding the malware code in image files on social networks. Using compromised accounts to leverage the trust factor of 'Facebook friends' the threat actors were able to post these images, and when a user clicked on them it would download and install Locky in the background.
Not all threats require an account to be compromised though, some targeted 'spear phishing' attacks will look to see who someone in a particular business communicates with socially online. They will then send friend requests to all those people, before eventually sending one to the real target. Because the threat actor appears to be a 'friend of a friend' to even one or two people already in the social circle of the victim, they are more likely to accept the request. Then the social engineering can really start, usually in order to reveal credentials to enable them to breach the business network.
Likejacking has hit plague proportions on Facebook (along with Instagram), although user interface redressing or IFRAME overlaying is a more accurate description. This involves malicious code hiding under what appears to be a legitimate 'like' button. It's also known as clickjacking where other content is used to obfuscate the intention. One click can initiate a malware download, or magic the user off to a site that exists purely for credential scraping purposes.
All of the above pretty much applies to Twitter as well, although it does have a more unique twist on some security issues. So while Twitter does suffer from the link-clicking curse, more often this will take the form of a shortened URL taking the clicker to a dangerous site. This makes perfect sense given the character count limitations of Twitter. Twitter has responded to this by shortening all links using a proprietary 't.co' service and displaying a warning if a link is going to a known or potentially dangerous site. However, it's still possible that URL redirection can be used to jump from a 'safe' landing point to an unsafe one.
You may think that the business-oriented networks wouldn't suffer from security threats. But LinkedIn certainly does, not least as it's a depository for valuable business information that can then be used to launch targeted social engineering attacks. Users should be very careful about accepting LinkedIn contact requests from people they do not know or where the business link is tenuous at best. Indeed, some LinkedIn invitation reminder messages have been known to be employed as URL redirectors to malware loading pages.
Organizations need to be on the ball by actively tracking their brand across social networks. If they find fake accounts, they can be reported and quickly taken down and the threat aborted. Official accounts can be used to give warnings to customers as to how to spot the fakes, and so bolster a reputation for taking security seriously.
Limiting publishing rights for users of your social media channels also makes good sense. It should be thought of no differently to admin credentials for your business network; you wouldn't give that sort of privileged access to every member of staff, and neither should you allow just any staff member to post messages to your social networks.
But perhaps the best advice I can give regarding a robust defense against the social media security threat is to engage in a regular process of connection curating. The more 'friends' you have, the bigger your exposure to risk. Do this as part of a broader social media policy, and you should have most of the risk mitigation bases covered.
Davey has been writing about IT security for more than two decades, and is a three-time winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious 'Enigma' award for his 'lifetime contribution' to information security journalism in 2011. You can follow Davey on Twitter at @happygeek
© 2017 SolarWinds MSP UK Ltd. All Rights Reserved.
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.