Social networks are social by design. They mean to foster interaction, to put you in touch in one way or another. Some put you in touch with friends and family. Others put you out there for the whole wide world to see. Some uses are personal. Others are all business. In the end, though, social media platforms are all designed to be easy to access and easy to use. They’re intentionally informal. They’re the last place you’d expect to find classified intelligence or the kind of business secrets that companies diligently guard.
All that – or most of it, at least – may be true, but that doesn’t make the world of social media a safe and happy world in which you can relax and let your guard down, tempting as that may be. Is it a jungle out there? Not entirely, but any time people get together, on-line or off, some will always try to take advantage of the situation. Just because it’s innocuously “social” doesn’t mean that it’s safe. The bad guys, diligent as ever, have found a number of ways to be antisocial in the social sphere.
The Tip of the Spear
With social networking comes social engineering, the ability to make use of people’s habits, assumptions and tendencies to trick them into doing something they should, at the very least, resist.
Old-school social engineering often required an ability to impersonate someone with a legitimate need for information. If the ruse was convincing enough, the target would disclose information that should have been kept private.
Today, “spear phishing,” a similar deception, is made possible by the wealth of raw material at a hacker’s disposal. We post enormous amounts of information in venues like Facebook, Twitter and LinkedIn. We do so in our own personal styles. We “like” certain things. In other words, our social identities have personalities.
This gives hackers two advantages. First, all that data makes it easier for hackers to mimic legitimate posts. If the post looks, at a glance, like it came from a colleague, from a friend or from your boss, you’re more likely to click on an included link. That link, of course, takes you to a bad, bad place. By the time you realize it, it’s too late. You’ve already opened the door to whatever malware the hacker chose to install.
Second, a hacker who knows your online personality – your interests and the links likely to appeal to you – can tailor the links to that personality. If you’re an actuary with a consuming interest in fatal baking accidents, all of which is made clear in your LinkedIn profile, a link to “NIH Warns of Rising Cronut Deaths” may tempt you to click. You may find malware with that click, or you may find a spam link encouraging you to emulate my brother-in-law, the guy who made $8,000 last week filling out online surveys. In any event, it’s not where you wanted to end up.
The Mobile Chicken and the Social Egg
Mobile technology and social networks have grown in parallel. Would either have evolved as quickly or become as popular without the other? Popularity, however, is a two-edged sword. We’re all happy to have information at our fingertips. Hackers appreciate that, too, but, even if our devices were not so stuffed with personal information, hackers would be irresistibly drawn to mobile by the sheer number of targetable users.
Android gets most of the action, with a reported 92 percent of mobile malware aimed at Google’s operating system, a proportion that has grown as Android devices have become more popular. For hackers, popularity is not Android’s only appeal:
• Android is a relatively open system.
• Only 4 percent of its users run Android’s latest, most secure version.
• Third-party app stores are rife with malware.
It seems that Apple avoids many of these problems by keeping a much tighter lid on devices and apps, but even that assertion is subject to some doubt. Apple doesn’t like to talk about such unpleasant subjects.
Most Android attacks rely on one particular mobile capability, the nicely social ability to send messages via SMS. Some 77 percent of attacks rely on SMS-based malware to surreptitiously send premium messages, unbeknownst to the user until it’s too late.
Hacked Accounts, Really and Truly
It seems that every time a celebrity of any sort publishes something offensive on a social platform, whether it’s a racist post on Facebook or an all-too-anatomically-correct photo on Twitter, the first line of defense is the same. It wasn’t me! My account was hacked! Just wait until I catch whoever did it!
Most of the time, that go-to line of defense collapses quickly, so we’re increasingly skeptical that real hacking happens. Sadly, however, it does, and it’s not just the little guys who get taken.
Just ask the Associated Press and Reuters. Both news organizations had their Twitter accounts commandeered by the Syrian Electronic Army, a group that supports Syrian strongman Bashar al-Assad, the former in April and the latter just days ago. The accounts of NBC News, the BBC, Fox News and The Guardian have also been compromised within the last year.
In May, The Onion, which may or may not be “America’s Finest News Source,” as it describes itself, got serious for a moment and explained how it was hacked. The exploit started with a few emails that featured a link to a fake Washington Post article. The link redirected to a log-in page for a Google Apps account, and all it took was one employee to provide his credentials. With those credentials in hand, the hackers looked even more legitimate. They ultimately gained access to every one of the organization’s social accounts.
For The Onion’s technical staff, there was still some question about exactly which accounts were in the wrong hands. The Onion, being The Onion, tried to get at the truth with a story: "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels." That got the hackers’ attention, but, rather than leading to identification of the compromised account, it encouraged the hackers to go on a Twitter-posting binge. Only an organization-wide forced password reset rescued the accounts.
A Marriage Made in (Hacker) Heaven?
Social networks encourage sharing. We put our personalities on display, and security and privacy seem to go by the wayside when social meets mobile. After all, we want the mobile experience to be easy, unencumbered by strong passwords and two-factor authentication, and many of the sites we visit, sites like Facebook, don’t make privacy settings obvious. Corporate accounts, of course, want to be public by their very natures.
With the meeting of social and mobile making such a fruitful pairing for a world-wide industry of hackers, it’s no place to let down your guard.
It’s like a party. A few of your friends are there, but they’re outnumbered by a horde of strangers. Oddly enough, those strangers know something about you. You know little or nothing about them, but, wonder of wonders, they share your interests. All in all, they seem trustworthy. They seem like regular folks. They’d like you to leave the party with them. Where are you going? It’s not entirely clear.
What could go wrong?
Check out our ethical hacker training class options!
Watch our Threat Intelligence Best Practices webinar!