Social media is a great way to share information. Social media is based on the fact that we trust messages on social media platforms more than we do elsewhere, especially if they are messages that are forwarded to us by a friend. It’s something that makes for a great way to form genuine relationships online, but it also opens us up to cyber attacks.
How the risks open up?
The way that people do this is by a method called spear phishing. At its core, it’s very similar to the old email malware viruses that people are now very wary about. The way it works is that a person is targeted with a social media message with a link to the malware. Once that link is opened, the hacker gains access to that person’s computer or device and all that person’s contacts. They can then send the original message on again – this time from a friend.
It’s not just the malware that is dangerous; it’s the fact that it can be sent on to so many people. As the only thing in the malicious social post itself is a link, then it’s something that can be used on any social media platform that contains external links – which is pretty much all of them. While only 30% of people will open a spear phishing email, 66% of people will open a spear phishing link if it’s recommended through social media.
Some Case Studies
In May 2017, Russian hackers gained access to the computer of a Pentagon official, who opened a Twitter link about a ‘family friendly summer vacation’. There were also 10,000 attempts on Twitter accounts for people in the Department of Defence. No matter how secure you are, it just takes one person to open up your network to attack.
Even a smaller social network like LinkedIn can be targeted. Although it has about a quarter of the users that Facebook has, it is mainly a business-to-business social networking site. In August 2017, a bogus profile from someone calling themselves Mia Ash went around LinkedIn, offering more personal chats on Facebook. If a friend request was accepted – an email was sent including a fake Word or Excel document that launches a remote access trojan if macros are enabled.
What to Learn from these case studies?
There are a few golden rules to be taken from this. First, if you do not know the contact well, you should not download PDF, Word or Excel documents. You should certainly cancel the process if the system asks you to enable macros. If there’s a link, copy it into a search bar rather than clicking on it within the message.
Although if you are hacked, then you will be safer if you have a number of unique passwords. If your password is the same for every service and social media platform that you use, then you are handing control of those services over to the hackers. It means that you are also exposing all of your contacts on those social media services to suffer the same phishing attack you just have.
All the advice for bogus emails also needs to be applied to invitations, tweets, and special offers. If there are spelling and grammatical typos in Tweets (especially if they represent a fictional company or business person), then you should be wary of them. Just as with an email correspondence with a Nigerian Prince via email, you should be very wary of the bank details and personal information that you share. Treat people online like potential scammers. If you haven’t encountered the person or the brand in real life, perhaps you shouldn’t accept their friend request.
There is also another reason why you should keep your social media safe, and only allow people you know to have access to it, even as a friend. It’s great to check into places, and tell people what your plans are for the weekend – but it can tip malicious people online into working out when you won’t be at home.
It used just to be a problem for your own security. But a work laptop brought home for the weekend, or even a work pass brought home can give hackers access to a physical computer with a link to a secure network that they can hack at leisure. A work pass can also let them into a building, where they can attempt to take a computer physically, hard drive – or even install a physical keylogger to remotely access typing patterns, and work out passwords for important programs and accounts.
Cybersecurity has enhanced, but there is still no correcting for human error. Whether it’s opening the wrong kind of links in social media messages, or posting the wrong kind of information – people need to be educated. They also need to be secure. Physical security systems need to be upgraded in line with cyber-security.
There’s no point in having the best cybersecurity if there are no solid doors, timed locks or CCTV cameras protecting computer hardware. Even an updated digital key system that doesn’t allow weekend or evening access can protect companies and institutions from danger. The important thing is to vigilant and to use common sense.
This article was written by Simon Parker. Simon Parker has over 70 years of shared experience with Minerva Security, dealing with commercial business security and fire alarm systems.
Disclosure: Some of our articles may contain affiliate links; this means each time you make a purchase, we get a small commission. However, the input we produce is reliable; we always handpick and review all information before publishing it on our website. We can ensure you will always get genuine as well as valuable knowledge and resources.