When one thinks of a cyberattack, very often, the image of a hacker going after servers and databases in order to gain the Personal Identifiable Information (PII) and other types of confidential data very often comes to mind. But this is only one way of getting these proverbial “crown jewels”. The other way is to also keep tabs on the social media activity of a particular company in an effort to determine their weakest and most vulnerable spots.
For example, whether they have a malicious intent or not, employees are very often negligent as to the content that they are posting on their company’s social media sites. Although he or she may not put up the social security and credit card numbers of their customers, they can often put up content that over time, can constitute a company’s profile, and how the employees and management interact with another, and other external entities.
The cyberattacker can then put together all of these pieces of content, and from there, get an entire picture of the organisation in question. From here, he or she can then use the principles of social engineering in order gain a foothold into the business, and from there, launch their threat vectors. Or, if there is a known vulnerability in a particular social media site (Facebook has been so far the most notorious in this aspect) the cyberattacker can just penetrate into that fairly easily to get the company’s IT assets.
The threat variants
But regardless of a how a cyberattacker uses the social media tools to gain access to an unknown back door, they all are prone to a number of key threat vectors, which in turn, can make a business suffer from a security breach. They are as follows:
1) Unused social media accounts:
Because social media accounts are free to set up, there is a strong temptation amongst all the departments within an organisation to set up their own individual accounts, in order to reach to both prospects and existing customers. Or, as mentioned previously, these various social media sites can also be used for internal communications with employees. But very often, many of these accounts can go unused for exceptionally long periods of time, and even become inactive. Just like for examining for open ports that are not in use on a network infrastructure, a cyberattacker can also probe for these unused social media accounts in order to gain a point of entry into the organisation.
2) Employee error:
When employees post content up about a new product or service, there is often an excitement in the rush to post up as many links as possible that are related to it. But in this heat of the moment, there is a high statistical probability that they could put up a proprietary link that they did not mean to. But the fact remains that this link has been made open to the public, and the cyberattacker will always have their eyes and ears open to this. In this case, once this has been discovered, it will be too late, as the damage has been done. In fact, one study has even discovered that 77% of employees have put up a wrong link, by sheer mistake.
3) Third-party applications:
Even if you are authorised to download mobile apps onto your company issued wireless device (such as a smartphone), the cyberattacker will always find a way in which to penetrate them in order to gain access to not only the company’s social media accounts, but even your personal ones as well, in order to hijack your password and other relevant login data.
4) Phishing and malware:
When one thinks of these two, very often the first thing that comes to mind is either clicking on a malicious link or downloading an attachment in an email message that contains some kind of malware (such as those. DOC and .XLS file extensions). But keep in mind that the cyberattacker of today can even hijack a legitimate social media account and even put up a posting with a link attached to that will take you to a spoofed website. In this regard, once again, Facebook has been the prime target here, with accounts being hijacked on an almost daily basis, and illegitimate postings being put up. In fact, nearly 2/3 adults in the United States know that their social media accounts have been hacked into, but still do nothing about it.
Our next article will examine other forms of social media-based threat variants.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.