By Mike Raggo, Chief Research Scientist at ZeroFOX
In today’s threatening age, it’s impossible to navigate the web without crossing paths with some sort of virus, threat or scam. In the past few months especially, we’ve seen social media become a prime vector for scammers to target individuals, going after everyone from the CEO of Twitter (through his own platform mind you) to 117 million innocent LinkedIn individuals. In fact, in just May and June of 2016, five major social networks – LinkedIn, Tumblr, Myspace, Twitter and Russia’s VK – all suffered leaked user credentials.
While the writing is on the wall for businesses and individuals to ramp up their cyber security focus, it seems that we’ve just become even more trustworthy of social media. And with this digital landscape becoming a more critical business platform, this is a deadly combination that we can no longer be complacent towards.
At ZeroFOX, we’re dedicated to protecting businesses from the onslaught of endless social media attacks, but also spreading digital security awareness. Below, we explain the various types of attacks that are floating around, who is primarily being targeted and what needs to be done to secure our profiles.
Most prominent social media attacks
From phishing attacks to brand and executive impersonations, cyber criminals are focused on social media do to its low cost, scale and accessibility. Today’s consumers spend the majority of their time on the Internet doing two things: browsing social media channels and shopping.
According to McAfee, more users experience crimes on social than any other platform. In fact, social media phishing scams cause $1.2 billion per year in damages, and 40% of users report clicking malicious links. Common threats that should be monitored include:
- Piracy and counterfeit goods
- Brand and executive impersonations
- Phishing and malware
- Intellectual property loss
- Physical and cyber attack planning
- Scams and fraud
While email was previously thought of as the primary vector for attackers to infiltrate victims’ systems, the threat landscape has quickly evolved, placing a spotlight on social media, and it’s time for businesses and individuals to start taking this risk much more seriously.
So who’s at risk?
Anyone who’s active on social media. Twitter, Instagram, Facebook and LinkedIn all present dynamic threat universes, and each platform poses a different set of risks. Twitter, for example, is frequently leveraged for phishing scams, while Instagram on the other hand is riddled with Instagram Money-Flipping schemes.
As we share more information on social media, we are constantly exposing our private information for the entire web population to see. With one click, malicious doers can visit a profile and gather information about a potential victim, including place of residence, phone number, email address, friends and family, and interests—all of which can be leveraged in an attack.
C-suite executives are a key target for attackers. Not only do they hold the keys to the kingdom, they are often less focused on their digital security. The c-suite is juggling a multitude of different tasks, and thoroughly vetting a Twitter link before clicking is rarely on their list of primary “to-dos.” Those at the executive level can have a large bullseye on their backs, and the ones who are not properly trained can easily fall victim to a cyber attack.
The right-hand counterpart to the c-suite, executive admins, are the gatekeepers to everything that goes on within the company, and the lives of the CEO—from schedule maintenance to financial records. Ultimately, these individuals have access to critically sensitive data. If hackers can’t access the c-suite, the executive admin provides the next best vector towards breaching a company. Therefore, understanding your organization’s social media footprint, and the individuals responsible for these accounts is key.
How to Navigate the Social Media Enterprise Safely
As mentioned above, attackers are using a variety of techniques to lure individuals into engaging with their malicious content. Perhaps the most prominent way of doing so is through phishing and malicious links sprinkled across social media platforms. Knowing what to look for and what NOT to click on is crucial to preserving online security.
Phishing links mask themselves in a variety of forms—from fake online surveys to fraudulent video streaming links—and individuals must constantly be on the alert to identify these. Beware of links that prompt you to re-enter your account credentials or require you to enter your credit card information. Our research demonstrated that social media phishing attacks are successful up to 66% of the time.
To protect your business, it’s important to monitor for social media threats to your organization’s accounts. Account impersonations, scams, fraud and malware all present security issues to virtually every organization. Visibility is key to identifying these threats early before they result in a breach or damage brand reputation.
Within your company, it’s important to have a dedicated security team monitoring for potential breaches, but it also falls upon every employee to incorporate a set list of digital hygiene best practices into their daily routines. This includes better curating the individuals you connect with or follow on social media.
Additionally, enabling two-factor authentication for social media accounts is the first line of defense against account hijacking. Companies can additionally incorporate social media and digital risk monitoring into their security strategy and iterative incident response processes. Identified social media specific malware and phishing links can also be incorporated into the perimeter defenses, endpoint security, and SIEM to fortify the defense in depth in your organization.
Social media is a rapidly evolving landscape that connects society like never before and presents endless business opportunity. But with these benefits, comes an unregulated setting that is still trying to find a balance between information sharing, privacy and security. As the kinks are still being worked out, individuals and organizations must recognize the associated threats and know how to mitigate their risk to enjoy the social media landscape in a secure manner. By better understanding the variety of scams and attacks floating around the digital world, individuals can protect their personal profiles, as well as their businesses as a whole.
Mike Raggo serves as Chief Research Scientist at ZeroFOX and has over 20 years of security research experience. His current focus lies in social media threats impacting the enterprise. A former security trainer, Mike has briefed international defense agencies including the FBI and Pentagon.