Socially engineered attacks are a highly effective vector for cybercriminals. Using highly versatile social engineering techniques, attackers can exploit an online professional network to target employees who are not likely to be data security experts, but who may have access to various essential data resources stored within the organization's network.
08/11/11 5:00 AM PT
In terms of online communication, social media is the biggest trend in recent years. There are billions of participants around the globe as well as an array of forms: blogs, forums, wikis, multimedia content, social bookmarking and, of course, popular platforms such as Facebook, Twitter and Google+.
What's more, social media is strongly established as an important channel for companies to communicate with their customers. Corporate social media pages keep users informed about products and trends in an informal way and allow a simpler, more effective method of communication between the two parties.
Another important aspect worth mentioning is that social networks are among the few platform-independent applications currently in existence, which means that they can run on any PC with a fairly recent browser installed, as well as on all of the main mobile platforms: iOS, Android, Symbian and Windows.
Don't Become a Zombie
Predictably, the millions of contacts, email addresses, pictures and other sensitive data present on social networks make them a prime target for cybercriminals. Part of the issue here is that social networks sometimes encourage users to keep personal data public as the default privacy setting.
Many social networking sites and profiles could provide an ideal and cost-effective platform for the distribution of a range of malicious content such as viruses, bots, Trojans, spyware and adware. The way in which these threats can be spread is not limited to simple tactics such as posting infected links on a wall with an appealing call-to-action -- "see who viewed your profile" is one most of us are aware of -- or stealing email addresses to send malicious attachments en masse.
We have also seen cases where a piece of code has been attached to a profile page, so that when the user logs in, a bot is automatically downloaded into the system, transforming the unprotected computer into a "zombie" -- a compromised machine that is part of a larger net of infected machines, called a "botnet," which an attacker remotely controls.
Details such as the user's list of friends can also be easily exploited by attackers. A potential intruder could then gather data concerning the size of the organization, its employees' hierarchy, their work expertise, degree of IT and communications literacy, etc. This information might simply outline the profile of the most vulnerable employee who could later be tricked into revealing even more sensitive data that will open a backdoor into the company's network.
Layers of Protection
Scenarios involving combined tactics are also possible. Using highly versatile social engineering techniques, attackers can exploit an online professional network to target employees who are not likely to be data security experts, but who may have access to various essential data resources stored within the organization's network.
Let's consider an example in which cybercriminals try to persuade the victim to deliver sensitive data by email. They may well carefully craft a message so as to give it the appearance of an official and legitimate message, coming from the organization's CEO, for instance. This will have a higher likelihood of being noticed and opened. The email may well include a PDF attachment containing malware, which once opened by the recipient will activate the threat and allow access into the organization's network to easily extract further sensitive data.
With such a range of information about users easily available online, socially engineered attacks are a highly effective vector for cybercriminals. So what can be done to combat them? Along with using a security solution, there are a few basic protection methods available to all users.
Have a strong password policy. Use a strong password to social network accounts; reusing the same passwords for other accounts means a higher exposure, as once the password is stolen, the attacker has access to all associated accounts.
Generating a 12-character password that includes both upper and lower case characters, and which do not contain common names or brands, is a minimum requirement. Do not store the password to the account in the browser if you are using a laptop outside the company network. If you cannot avoid it, it is recommended that you encrypt your file system.
Use encrypted connections. Always browse the social network under a secure connection ("https" prefix in the browser). Be careful to switch secure browsing back on once you have accessed content on pages that do not have SSL support. Moreover, never switch to an unsecure connection while in an open/unsecured network.
Enable all log-in notifications. Facebook allows you to get notified by email or SMS every time somebody logs in to your account from a new device. This helps you identify more rapidly any suspicious activity that may take place.
Prepare a recovery plan in case of account hijacking. In the event your account is hijacked, in order to regain control over it, you will be requested to provide verification information. For verification purposes, it is advisable to associate your account with a phone number. However, you should also keep in mind that it's very easy for a social network account to be hijacked if the phone on which the account is set up is stolen.
Carefully monitor any mobile phones that can allow access to the company's social network accounts. Login to the social network accounts from the mobile phone should not be automatic, as this poses a higher risk of illegitimate access in case the phone is stolen. The phone should lock automatically.
Select and train account/page administrators. Limit the number of users who have access to the corporate page/account, and make sure they are aware of the e-threats associated with communication within this environment. Depending on the social platform permission structure, abide by the minimum access rights rule so that employees can interfere with the account operation/content only within predefined limits. For example, an employee may only require access to statistics info on the account activity, which makes it unnecessary for that person to have full administrative rights.
Train employees who are to become administrators of company pages/ accounts to carefully select the applications they install, making sure that they have read the list of requested permissions and have assessed the risk of seeing important info posted in the account being taken over by apps with a hidden agenda.
Enforce strong security policies. The security of social network accounts depends on the security of the computers/smartphones they are accessed from. The exposure of these devices to data leaks or to infections with malware using social media as a propagation medium can have serious consequences.
Protect your company from targeted attacks. To avoid being contacted by unknown persons who seek to fraudulently obtain information about the company or about its organizational chart, employees should adjust their social network account settings so that the content they post is only visible to their friends. In this context, employees should proceed with caution when interacting with unknown persons online.
Protect your user information. Should you develop an application that collects and stores users' private data, make sure that you encrypt this info using a strong algorithm. Remember to adequately protect the API key and secret of your applications. If you use input forms to collect information from your users, make sure that it is transferred to your servers over a secure connection.
Carefully select online published content. Remember that it will be very difficult for a specific piece of content to be completely erased once it has been published online. Web robots permanently scan for online content and multiply it in an uncontrollable way. Before posting content online, carefully assess the legal and reputation consequences the published material may have.