Social Engineering On Social Media: Meet Dr. Crawley

Meet Dr. Emily Crawley.

She’s a talented young professional working for the United Nations as a medical director in the Congo. Her resume is impressive – she has co-authored several publications, speaks both Hindi and Old English, and holds a masters degree from the British College of Osteopathic Medicine, where she did her residency. She seeks a “long term career in the applications of medicine & surgery” and is an avid animal lover.

Also, she doesn’t exist.

But you wouldn’t know that from her extremely convincing LinkedIn profile, which boasts hundreds of connections and endorsements. Only by looking closely does everything start to smell phishy – the other authors on her publications don’t link to real accounts, the “People Also Viewed” window is composed of scantily-clad women, and a reverse image search reveals her photo came from the Russian dating site heavenlyhearts.net. If you’re anything like me, you rarely spend more than a minute or two on a LinkedIn profile and certainly don’t reverse image search the picture.

While this could be written off as a satirical account, the amount of time and effort spent making it seem legitimate suggests this is something more sinister. What had been a promising marketing or sales lead just became a serious security threat. The impostor Emily Crawley is connecting to real people in the military, some of whom have even given her LinkedIn recommendations. What the purpose of the account or the end goal of the user behind it is not entirely clear. It’s clear, however, that it should not be taken lightly.

Dr. Emily Crawley may well be the first phase in a social engineering on social media campaign. Social engineering on social media involves creating genuine looking profiles to connect and interact with a target or group of targets. Once these connections are deemed trustworthy, the hacker attempts to steal information or launch further attacks.

Social engineering on social media is shockingly easy to carry out. This was made all too clear at the RSA Europe 2014 when IT services provider World Wide Technology presented the results of a comprehensive penetration test carried out for one of their clients. The story will sound familiar – a fake account under the named Emily Williams, claiming to be an MIT grad with 10 years experience. Within days, the pent-testers received endorsements, job offers, and even a company laptop.

Had this been an actual attack, the opportunities for the cyber criminal at this point would have been endless. They could send malicious links, mine sensitive data or target customers.

Keep in mind, however, that up to this point, our friend Emily has not yet breached any of the terms of the social media engagement. No actual “hacking” has been done, in the usual sense. But by leveraging social media and infiltrating an organization organically, a skilled hacker could subsequently carry out a serious attack before he finished his coffee.

Monitoring social media is a herculean task. It’s not a matter of logging into a company’s profiles once a day to looks for suspicious activity. Employees, customers, executives and anyone connected to your organizations are the new endpoints.  A recent survey suggests that of the 75% of internet users now active on social media, the average person has 3 different social media accounts. Apply these stats to your company workforce and customer base – now you’re beginning to understand the full attack perimeter. Who is the weak link in the chain? Who will be the key to Pandora’s box?

Social media is no longer exclusively in the realm of the marketers, and in truth hasn’t been since the days of Myspace and Friendster. Information security professionals need to be in dialogue with all social media avenues across an organization. Risk management plans need to be in place to monitor, identify, counter, and remediate social engineering on social media. A simple test is this – go back through your traditional infosec risk management plans line by line. Ask yourself if, in all their complexity, could they alert on an attack originating from a carefully worded LinkedIn direct message from Dr. Emily Crawley?