If 2014 is any indicator, security teams are in for a busy 2015. Attacks are only getting bigger and badder, in terms of scale, volume and method. Enterprises find themselves facing off against brand new attack vectors: most daunting among them — social media. Attackers exploit the virality and trusted nature of social networks to launch low cost, highly effective attacks, ranging from the technical to the behavioral, from phishing and malware to malicious impersonations. As security teams settle in for what will undoubtedly be a busy year, ZeroFOX has compiled a list of the top social media threats & attacks to watch out for in 2015.
1. Executive impersonations
Creating a fake account takes no more than 15 minutes and an internet connection. A well-made fake account can run amok on the social world: sending phishing links and malware to associates, slandering the company, launching social engineering attacks and scamming customers or employees. It’s an extremely low-tech, low cost, high reward attack in the hacker’s arsenal, and, with the rise of social media, it has skyrocketed in popularity. Keep an eye on your executive’s social media presence this year, and ensure all communications are executed from legitimate accounts.
2. Account takeover
An organization’s publicly facing accounts are the ultimate targets for attacks. Once in control of an account, an attacker can do serious damage, be it slander, malware or phishing dissemination, cybervandalism — like what happened to CENTCOM already this year — or even stock manipulation. Organizations must protect their social accounts like any other high-value asset. Two factor authentication and robust passwords are critical first steps, but organizations need to be actively monitoring their own accounts for indicators of compromise.
3. Watering hole phishing & malware
Social media has become the source for breaking news and trends, and attackers have quickly learned that virality on this scale is the most effective way to amplify the scope of an attack. By planting malicious links where users are interacting, discussing and sharing, attacks gain steam organically and touch a wide array of potential victims. To make matters worse, 75% of users’ social media passwords were the same as their email passwords. For an attacker, stealing credentials for anywhere online — dating sites, news subscriptions, music and video streaming, forums — is as good as getting a corporate password. The adversary no longer needs a targeted attack to breach an organization, they only need a well-timed catchy link and a social network.
4. Customer scams
Social media is an ideal venue for organizations to interact with customers, clients and prospects. Unfortunately, it’s an ideal venue for attackers to do the same. Malicious actors target an organization’s users by posing as customer support or offering fake discount codes. It is nearly impossible for the average user to distinguish between a coupon and a phishing or malware link. Organizations feel the pain down the road in the form of customer support calls and a shrinking base of loyal customers.
5. Corporate impersonations
The adversary may have a variety of things up their sleeve when they create a corporate impersonation. They could be scamming customers, connecting with and phishing employees, slandering the brand or building followers to “flip” the account. Organizations need to be watching social media for inappropriate usage of their logo, verbiage and brand when assessing all types of social media threats.
6. Information leakage
“Social media” is a difficult term to fully define. Most people’s immediate reaction is the big players — Twitter, Facebook, Pinterest, LinkedIn and Youtube. But the internet itself has gone social. Ben Solis’ excellent infographic, the Conversation Prism, is a good glimpse into just how much falls under social media threats. But it goes beyond even that — hackers are buying and selling personal information on their own deep web discussion boards and marketplaces. This includes email address, credit card numbers, personal health information and more. How much of you or your company’s information is publicly available on the social web? Even better question: how much is it selling for?
7. Planning of an attack
Employees, customers and marketers aren’t the only ones exposed to social media threats. Cyber criminals are conducting business on social media, planning attacks — be it DDoS, cyber defacement or breaches — coordinating their members and even sharing the occasional cat video. With the right tools in place, organizations can leverage social media as an early warning system, unlocking a treasure trove of attack data that could give security teams the edge.
8. Clickbait attacks
Have you ever seen a headline, in all caps, claiming something almost too amazing to be true? “DRUG COMPANIES HATE THIS DOCTOR WHO FOUND THE SECRET TO WEIGHT LOSS,” “WATCH THIS INSANE VIDEO OF A SHARK EATING A FISHERMAN!,” “APPLE IPADS 95% OFF TODAY ONLY!” “25 KILLED ON CRAZY ROLLERCOASTER EXPLOSION: VIDEO,” “LEAKED NUDES OF EMMA WATSON ARE HOT!” You get the drift. Sensationalist news stories and catchy headlines are common trends for seedy internet journalists — a tactic called clickbaiting. But cyber criminals have known this trick for all too long. By disguising a phishing or malware link beneath a fake news story and distributing it via social media, hackers prey on many fat-fingered and gullible users.
9. Hashtag/traffic hijacking
Chances are, your organization is on social media. For marketers, it’s revolutionary for launching marketing campaigns and reaching potential customers. But it’s just as easy for the attacker to flip the scenario and use your organization’s hashtags as a means to target your company, your employees and your customers. Attackers distribute spam or malicious links with an organization’s hashtags to amplify their message to the target audience. At the most basic level, this tactic hijacks internet traffic — diverting social media users from clicking on the actual corporate link. At worst, attackers phish your people or distribute malware on company hashtags.
To learn more about social media threats and how to combat them, talk to an expert.