Vevo Hacked Via LinkedIn Phishing Campaign, Over 3TB of Sensitive Data Exposed

LinkedIn phishing has claimed a new victim.

On September 15th, streaming service Vevo disclosed a massive data breach, to the tune of 3.12TB of sensitive internal data. The breach occurred after one of its employees was compromised via a LinkedIn phishing campaign, demonstrating again that social media is an incredibly effective vector for launching targeted attacks. Already this summer, attackers have successfully used similarly fake social accounts to persuade employees at oil and gas companies, a cybersecurity firm, and a government department to open malicious attachments designed to take control of victims’ devices.

Why are phishing attacks so effective when waged over social media? Social allows users to create believable online identities and interactions, which can help users build credibility and trust with their real-world peers. For the most part, these fields are publicly-facing, and serve as one of the first things validated upon receipt of a friend request or incoming message. Are they in the same profession? Do I share a common experience or connection? Attackers maximize opportunities for engagement by impersonating legitimate users or by fine-tuning profile fields and interactions to lure targets. Once socially engineered, a target’s trust can be leveraged to extract personal information or deliver malicious payloads.

Many social networks further encourage users to disclose sensitive information about their job roles, responsibilities, family, hobbies and more, all in the spirit of engaging with friends, networking with their colleagues and staying in touch with family. However, this information is dangerous in the wrong hands. An attacker may learn which employees have access to critical systems or who has financial signing authority based on role descriptions, enabling them to craft a more precise attack. Similarly, if a network engineer posts that they are certified for a certain type of firewall, that can give attackers the information needed to determine that there is a high probability that their target organization uses said product.

Personal information can also be readily weaponized by an attacker during a social engineering campaign. The more information an attacker can glean about the victim's family, hobbies, home address and personal connections, the better they can craft a unique spearphishing message. To boot, once the attacker has lifted the relevant information from the targets social media accounts during the reconnaissance phase, they can then launch the attack from directly within the social network by posting the payload to the user's profile or sending it via direct message. It’s likely the Vevo attackers followed this exact attack workflow when distributing their attacks.

To minimize exposure to LinkedIn phishing and other targeted social media attacks, ZeroFox recommends that users:

• Limit interactions to users you’re sure you can trust. Make sure that you’ve either met them in person or that you have mutual connections and their profile seems credible. Don’t interact with profiles if they don’t know you or are contacting you for suspicious reasons.
• Avoid clicking on links or downloading file attachments sent to you through social media, especially if the links seem suspicious or if the users seem unfamiliar. On LinkedIn it’s common to share attachments like cover letters, resumes and letters of recommendation. When in doubt, pass the link or attachment in question to an open source malware detector.
• Ensure two-factor authentication is enabled on all of your social accounts. This provides another barrier of protection should an attacker ever steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account, so be on the lookout for any sort of suspicious activity.
• Security professionals should train employees, especially those with high-access privileges or important organizational roles, on what information should or should not be posted or be visible to the public. Security teams can distribute guidance on how to make elements of an employee's social accounts private, meaning only followers or friends can see certain data fields like date of birth, connections or home address.