Social Media – a Cybercriminal’s Library
Two Tales of Social Media and Social Engineering
How much personal information is available online and waiting to be used against you? You might be surprised. Many people do not consider the volume and depth of information available online, particularly on social platforms. Social media offers cybercriminals ample opportunities to social engineer or manipulate people to their nefarious advantage – even outside of the social platform providing the fodder for their efforts.
Joe the Job Seeker
Meet Joe. Joe is currently in the market for a new career opportunity. He has been using LinkedIn more than usual and has accepted quite a few new connection requests in an effort to build a network in his industry and at some key companies that he finds attractive. Unfortunately, one of those connection requests was a fake profile. Through the course of several messages that involved sharing similar experiences and some personal information Joe was lured into clicking a link to a list of interview questions pertinent to his field. That link was malicious and installed malware on his computer. The hacker now has access to all of the personal data stored on his computer – including the family’s social security numbers, bank accounts, and more.
Penny the Pet Lover
Penny loves all animals, but she is especially involved in local dog rescue groups. She volunteers, often fundraises for them, and shares her passion prolifically on Facebook and Instagram. She recently purchased some supplies from a local pet store for donation to her local animal shelter. In addition to checking in at the locally-owned retailer when she arrived for curbside pickup, she posted pictures of the donated items and left a glowing review on the retailer’s Facebook page about the smooth purchase process. By itself this behavior is normal social media behavior and supportive of the local community. However, it provided ammunition for a cybercriminal to send a text to the number provided in one of Penny’s Facebook posts regarding adoption inquiries for a dog she is fostering. The text appeared to be from the retailer and contained a link to a survey that, upon completion, would donate $10 to the rescue organization of her choice. By clicking the link and completing the fake survey, Penny provided additional information to the cybercriminals that can be used to create fake profiles, open fraudulent accounts, and more.
Social Media – Not Just for Socializing
Social media platforms are a breeding ground for fake profile personas waiting to take advantage of you. For instance, LinkedIn has a professional influence unlike other social media sites, often making users less cautious when connecting with strangers. When people willingly make these connections under the assumption of making professional networking contacts, criminals can lure them into divulging personal details and direct them to malicious sites.
Social Engineering is a never-ending weapon for cyber criminals and social media hands them most of the information they need for successful attacks. Cybercriminals can use a quick company search on LinkedIn to find several contacts from a company, including information such as their job positions and email addresses. They can also easily mine Facebook for birthdates, high schools, names such as maiden names and names of children and pets, hobbies, places frequented, favorite activities, recent purchases, and so much more. This quick search gives the attacker a new list of targets to familiarize themselves with for better spear-phishing attempts.
If an attacker wanted to target you personally, they could easily find your “weak spot” in the form of interests or hobbies from one or more of your social media profiles. They could then craft a relevant spear-phishing email or text message spoofed to look as if it is coming from a company or person that you commonly interact with.
Always be aware of the information you share with the world, and be cautious of how that information can result in you, or your organization being more susceptible to a compromise. Connection now is more important than ever; just be extra vigilant about reviewing all communications with a critical eye. Use the checklist below to determine the likelihood that a communication is fraudulent.
- Are any URLs in the communication correct when you Google the sending company? Check all links before clicking.
- Many URLs are hidden in buttons labeled “Click Here” or “Continue.” Hover over the button to view the URL.
- Does the sender’s email address look correct? Your bank will not be using a public Internet account such as Gmail, Hotmail, Yahoo, etc.
- Is the sender requesting personal or financial information via email, such as a bank requesting your PIN for verification?
- Is the email personalized with your name? Legitimate companies will usually address you by name and not generic greetings such as “Valued Customer.”
- Are there misspellings, punctuation errors, or grammatical mistakes?
- Are the images low quality or stretched?
- Is there a misplaced sense of urgency?
- Does the email contain an unexpected attachment?
- Is the email from your CEO who is in a meeting but needs you to run out and buy gift cards?
Stop – Look – Think – Don’t be fooled!
Content brought to you by Advanced Network Solutions and The KnowBe4 Security Team