Social media has long been a tool of connection for personal relationships and digital online marketing, but the darker side of it gives attackers a way to research a specific target’s background in order to use a type of social engineering attack called spear phishing. These digital platforms are a wealth of information for an attacker that wants to obtain private login credentials, understand a target’s professional dynamics, and socially engineer a fraudulent profile into social media circles in an effort to gain trust. Before you publicly divulge your data, make sure you proceed with caution: publicly posting too much information could put your business at risk.
When you receive a friend request on Facebook, how convincing is it to you when the profile has several mutual friends? Most people identify mutual friends as assurance that this friend request comes from a real person that they know through other friends. Attackers take advantage of this trust signal and use it to gain access to your Facebook Wall.
For instance, suppose the target is someone in charge of finances at a specific corporation such as a CFO. It’s assumed that the CFO has access to bank accounts, customer data and employee data. The name of a CFO is usually published somewhere on the company website, so the attacker can easily get a name, perform a few Google queries and find this person’s Facebook profile. In many cases, a target has security settings that enable a viewer to see a friends list.
Some attackers might try to friend a target without going through a friends list. If someone has hundreds of friends, it’s assumed that they allow anyone on their friend’s list after just a request. Should requesting access fail, the attacker can then work with a friends list. As they go through the friends list, an attacker adds profiles until enough people accept the request. With several mutual friends added, the attacker now makes a friend request on the target’s Facebook profile.
The CFO example only uses one person; however, an attacker usually targets a handful of people within the organization to increase the possibility that at least one will fall for these social engineering tricks. It just takes one victim to result in a successful spear phishing attack.
After the attacker is able to access a target’s Facebook Wall, information can be gathered from conversations. Knowing a target’s family names, favorite places and other social dynamics gives an attacker a background about the victim that can be used to guess passwords or send emails that use markers to gain the victim’s trust.
Another common way an attacker earns the victim’s trust is using Facebook Messenger. An attacker uses a fraudulent profile to chat with a victim and gain more information. With enough persistence, the attacker can get information about a target’s work environment and even insider intelligence that can be used in a spear phishing campaign.
It’s not uncommon for professionals on LinkedIn to add each other as contacts. People within an organization add each other and network with their contacts. LinkedIn is one of the most common reconnaissance sites where an attacker can gather information. If the Facebook angle fails, an attacker can likely find information on LinkedIn. It’s even easier than Facebook, because most people have a public LinkedIn profile available for anyone to review. Even private profiles are available to people who just make a quick LinkedIn account, whereas Facebook requires an account and permission from the profile owner to see personal information.
Using LinkedIn, the attacker can review contacts, professional backgrounds, previous employment and referrals. LinkedIn provides a social engineering attacker a wealth of information for a spear phishing campaign.
With a target’s professional contact list, an attacker can focus on phishing emails for a group of related targets. For instance, in the Target attack in 2015, the target was a vendor. An attacker was able to obtain credentials from an HVAC vendor that received a spear phishing email. Using these credentials, the attacker was able to then gain access to sensitive areas of Target’s internal network.
Facebook and LinkedIn are the two main social media sites attackers use, but they’re far from the only ones. Plenty of information can be found on other social media sites such as Twitter, Instagram and even Snapchat. Spear phishing requires precise targeting to be successful, so an attacker can spend weeks in the reconnaissance phase.
A company website is also useful for gathering information. Some attackers target employees that work for an executive using their collected data. The goal is to get a good feel for the personality and working dynamics within an organization.
After enough data is collected, an attacker crafts a phishing email designed to trick an executive or other corporate employees into giving up private data. This could be tricking an employee into sending login credentials. Another common spear phishing attack is tricking finance employees into paying fraudulent invoices. Attackers even trick CFOs into wiring them money by pretending to be accountants.
With login credentials, an attacker can log into corporate systems and steal data at their leisure. In the 2015 attack of a Ukrainian power grid, the attacker was able to use spear phishing to trick an employee into divulging login credentials. The attacker logged into a computer, installed remote control software and turned off 30 stations, leaving 230,000 people without power. It was an unprecedented attack on government infrastructure that showed the effectiveness and potency of a spear phishing attack.
Phishing (and its subcategory, spear phishing) is difficult to defend against due to the way it’s done. You rely on employees recognizing a phishing attack rather than IT systems. Employee education is the main defense option, but even this can be poorly implemented. Some employees are blind to phishing attacks and give out information that could lead to a cybersecurity incident.
The right email system can help defend against phishing. These systems use artificial intelligence algorithms to detect patterns and phrases that could be phishing. The emails are filtered and quarantined for review by the administrators. If the email is considered safe, then administrators pass it through to the recipient’s inbox.
Employees should know red flags associated with phishing. Never click links that point to unknown sites. Don’t give a username and password to anyone, even corporate technical support. Instead, have them reset your password. Finally, never download attachments from unknown senders, especially executable files.
Set up a free consultation with TECKpert to learn how we can help. Contact us today.