Social Media is a Buffet for Hackers

Is your organization’s network on the menu?

The Internet connected us. Social media gave us a way to organize and interact with all those connections. And then COVID put the need for and frequency of those connections on steroids for many people, and it hasn't let up since. There are now over 5 billion active worldwide users. It also blurred the line between work and leisure, with remote workers still aplenty, and that reliance on social media isn't going anywhere anytime soon. Which leads us to the cybersecurity dilemma businesses everywhere are facing on a daily basis. The problem is the core of social media is built around sharing information, and information is lifeblood for hackers.

Old Wisdom Still Applies

During WWII, there was an expression coined which applies remarkably well to today’s the word of social media, “Loose Lips Sink Ships.”  It was everywhere, from posters, to movie intros and radio spots. In relation to wartime, it meant to be careful about what you talk about in public because enemies could be listening. If the wrong person heard a sailor (or a family member or friend of the sailor) sitting in a bar talking about his upcoming deployment,  innocently happening to mention when he was leaving, the name of his ship and where they were going, it would be enough for an enemy operative overhearing it to arrange an attack with a high probability of success, resulting in the aforementioned sunken ship.  In the military it falls under OPSEC (Operations Security), with the same overarching message, be careful about the information you put out there, no matter how innocuous it may seem in one context, it could be combined and compounded with other innocent tidbits to form a much bigger, more complete picture about your operations, or in the case of social media, about YOU!

How can Hackers Use Social Media Against You?

Come right in - First and foremost, social media is a direct conduit to your system. All those feeds and posts are typically designed with one main purpose in mind, to get other people to click on things. Hackers work the same way, but in their case, the things you click on won’t lead you to puppy videos or funny moments caught on camera, they’ll deliver payloads like trojans and ransomware.  A seemingly innocent survey, a fantastic sale, even a simple IQ test, they could all lead you down a very scary rabbit hole. And if you get compromised on your personal system or device through your social media platform, it’s only a hop, skip and a jump to your organizational network, especially with the work-from-home connectivity going on these days.

I Wanna Be Like You -  It can be annoying enough when a friend or coworker copies something you do on social media or tries to pass off something you thought or created as theirs. It’s exponentially worse if a hacker ends up actually assuming your identity to open accounts, access existing accounts, or gain access to things you have been entrusted to access by an individual or organization. More often than not, it’s those “loose lips” which get that snowball rolling. Remember that post you made about your “best friend” growing up, a golden retriever named Bingo? Now think about your bank asking you to set up your security question about your first pet, any chance it was Bingo? Remember that post you made about the crazy long line you had to wait in at Wells Fargo? Remember those happy birthday posts real friends put in your public feed, and remember those data breaches at Equifax and the US Office of Management and Budget which exposed hundreds of millions of records, including social security numbers?  Now they've hit giants like Microsoft and infrastructure entities like water treatment plants and everything in between - all using the same MO (Method of Operation) - hacking the humans instead of the machines.

Easy Phishing - Social media companies are masters at knowing how to bombard you with things you should have an interest in, all based on the profile their multi-million-dollar AI and algorithms have built on you (yes, it’s allowed, just read your EULA (End User’s License Agreement)). Hackers do the same thing, except they do it themselves, using all the things you post, like, relay, or comment on to build their own profile on you.  They see what you like, what you do for fun, places you visit, things you buy, where you work and what you do there, where you went to school, your relationship status, teams you like, political views, who your friends and family are, or anything else you are willing to share with others, including with those perfect strangers posing as “friends” on your list who are actually hunting you. And did you ever notice a “friend” already on your list sending another friend request? Don’t be surprised if that friend was actually already compromised at some point and it’s a hacker reaching out to the contacts from their list while posing as them so they can start phishing in your circle too. Every piece of information you divulge can be used to craft targeted spear phishing emails not only to you, but those you know, like your friends, coworkers, or even your boss. Is that something you really want to be responsible for?

Working Outward from a Zero Trust Starting Point

The Zero Trust model of cybersecurity is a real thing, even accepted by NIST (National Institute of Standards and Testing) and included in the NIST 800-207 framework. In a Zero Trust model, there is no such thing as a trusted source. It assumes potential attackers are present both inside and outside the network. With Zero Trust, every request to access the system must be authenticated, authorized, and encrypted. It was a step up from the previously accepted model of “trust but verify” which automatically granted trust to anyone inside the perimeter of the network, but that left organizations vulnerable to insider attacks and really went off the rails once businesses migrated to the cloud.

A full Zero Trust paradigm would obviously be unruly in the word of social media, it would result in an empty friends list and about as much interaction as you would get at the dinner table at best. But, it’s a good mentality to have as a starting point when it comes to social media – assume you can trust no one and act accordingly. Assume everything you make public is being monitored and catalogued by a bad actor with the goal using it against you in the future. Think about how those innocuous tidbits could be compiled and eventually used against you. If in doubt, leave it out. If you find something suspicious, verify it through other channels, like a phone call or separate email. If you never met someone and have no idea who they really are in the real world, think twice about adding them to your trusted circle and keep an eye on them for suspicious behavior, otherwise it’s like meeting someone at the airport and giving them your house keys to water your plants, which of course would be irrational. The place you want to be is that sweet spot between “trust but verify” and Zero Trust. And remember, if a bad actor can successfully compromise you, they can easily use you and your system to pivot to your organizational network by stealing credentials or using personalized information to craft effective spear phishing campaigns.

So don’t let social media become a gateway for intruders. Cybersecurity is everyone’s responsibility, with one crack in the human chain being all that’s needed for a nightmare to unfold. Vigilance is key, so enjoy social media, but always be alert.

And remember, GDF is always here to help your organization navigate the perils of the digital world, and should the unthinkable happen and your organization does become a victim of cyber attackers, call us at 1-800-868-8189 immediately, we have emergency responders standing by.  

*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cybersecurity and emergency incident response, with years of experience assisting clients in the government, banking, legal, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to call 1-800-868-8189 for immediate help. For more information, visit GDF's cybersecurity page.