In this article, we continue with the theme of examining the threat vectors that are posed to social media platforms. Read Part 1 of this series here.
The threat variants
1) Establishing fake or impostor accounts:
A cyberattacker does not necessarily have to hack into an existing social media account in order to hijack passwords or even put phishing related posts. All he or she can also do is simply create a fake or phony account, and make it look like the real thing. For example, these kinds of accounts can be used to target both customers and employees simultaneously, in order to con them into giving up their Personal Identifiable Information (PII) or company secrets, respectively.
2) Breaking into the privacy settings:
Although the major social media sites have claimed that they have beefed up their privacy settings so that confidential remains that way, many companies and users still have no faith in this. In fact, according to a recent survey, many of the respondents claim that they virtually have no trust in the privacy settings in the social media sites that they make the most of.
This is also further illustrated in the diagram below:
3) Shared user access and interconnected mobile apps:
In corporate America today, many departments (such as of IT, marketing, accounting, finance, human resources, etc.) typically share passwords across those applications and systems that are interconnected with another. A perfect example of this is when the organisation hires an exclusive social media manager from an external third party to manage their content. Rather than having to create different passwords for each social media platform, usually only one password is created merely for the sake of ease and convenience. Not only is this a grave security risk, but the fact that this administrative password is being shared with an external third party poses even a far greater concern. As mentioned, if there are other apps that are connected to these social media sites (such as dashboards, analytical tools, etc.) this external third party can very easily gain access to even further sensitive information and data in the company.
4) Social media botnets:
To some degree or another, we have all heard of “bots”. A popular example of this is the “chatbot”, which is a virtualised customer agent which can answer customer service-related questions and requests without the need for any sort of human intervention. Although this can be quite advantageous and brings many benefits with it, it can also pose a profoundly serious security threat as well. For instance, as it relates to a social media account, a bot can be used to make it look like that it is a real, live person (when it is really not) that is interacting with an employee in an organisation. These are known as “socialbots”. But apart from the aspect of the security threat, there are other, non-quantifiable risks that it brings as well, such as skewing tracking data, such as fake ad impressions, and even creating fake hashtags that can be used in a phishing attack. They can even be used to alter your customer’s perceptions of your company brand.
5) Insider attacks:
As a company grows and expands, or even offers new products and services, there is a strong tendency for both employees and management (and even the C-Suite) to share more than what is really necessary, as mentioned previously. For example, if an organisation is opening up a new office, there will be a temptation to post up pictures of the insides of it and the new employees in order to further “show off” the brand on social media sites. It is important to keep in mind that while prospects and existing customers may be “wooed” by this, the cyberattacker is also keeping awfully close tabs on it as well. But their purposes are far more nefarious in nature. For example, by getting a clear picture of what is inside the new office as well as its new employees, the cyberattacker can use social engineering to lure a naïve employee into perhaps launching a covert insider attack in those areas that have been posted on the various social media sites. In fact, in this instance, the cyberattacker can be so stealthy into the manipulating the mindset of this particular employee that he or she may not even be aware that are participating in an insider attack against the very company that they work for.
Remember, the cyberattacker of today takes their time to study their prey. They very often use social media to study their victims and build a profile from that in order to launch the threat vectors as described in these two articles. Try to maintain a good level of cyber hygiene when logging into your social media accounts, such as being proactive and using Multifactor Authentication (MFA) if it is offered.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.