Reconnaissance Using The Weak Link Of Social Media Sites
Are professional social media sites the weak link in companies’ security strategies?
Before (and during) a targeted attack, information about the target organization and its employees is useful to an attacker. This can be used to craft well-designed social engineering attacks that are more likely to be opened by its targets. It can also provide more information about the targets themselves, allowing the attacker to decide which individuals in an organization should be targeted.
Social media sites like Facebook and Twitter are a valuable source of information. Other publicly-facing sites (such as those of the target organization) can also contain details that can prove useful. However, one valuable source of generally private information may be unappreciated: professional social media sites.
Like in other social media sites, professional social networks encourage its users to share information. Unfortunately, the nature of the information shared in these networks — employment history, job titles, and others — makes them very attractive sources of information for attackers.
For example, the largest professional social media site, LinkedIn is already known for being the medium of employees inadvertently leaking information from their employer. In early 2015, engineers for chip manufacturer AMD inadvertently leaked details about next-generation products in their profiles. It is also known that several NSA codenames were added by US government employees to their profiles. These incidents highlight how information can be disclosed – even inadvertently – via LinkedIn profiles.
Recently, we saw a wave of Viadeo invitations that were sent to the French offices of Trend Micro. (Viadeo is a professional social media network that is based in France.) It targeted several employees, including myself, and it all came from one Viadeo profile. This profile pretended to belong to an IT manager from the Trend Micro Australia office, who had been with the company for 18 years. The profile of this person was quite empty, and when I received the invitation and checked it out, it had only 4 contacts.
The profile also said its owner studied at “havard, new yord”, which could be a typo for “Harvard, New York”… which is odd in and of itself, as Harvard University is not in New York. Neither is there a town named Harvard in the state of New York.
This was enough to raise suspicion. A quick check of the company directory confirmed that there was indeed no employee with that name; no person by that name had been employed by the Australian office either.
It was clear that this was an attempt to gather contacts/information from Trend Micro. In response, we raised an internal alarm to our employees to avoid any potential problems.
Simply put, users are more likely to believe someone they “know”, and someone they have connected to on a professional social media site fit into this category. This can transform what was previously an “outside” threat into one mounted by an insider.
We’ve spoken before about the threat an insider can pose to an organization: now imagine if someone was able to pose as an insider. The information acquired could directly lead to an organization’s weaknesses, as well as where any potentially valuable information was located. The damage could be significant.
Organizations need to make sure that they have a social media policy in place. This policy needs to go beyond something simplistic like banning social media sites within the office. It needs to outline clearly what employees can and cannot disclose on social media. Different industries will be subject to different rules: a neighborhood restaurant does not need the same secrecy as a defense contractor.
The organization also needs to empower its employees to detect and report attempts to target them in this way. An incident response team must be able to take note of incidents like these and warn other parts of the company, as needed. Tools that can help employees find out if/when a person is (or was) employed by the company may be useful as well.
Defending against social engineering attacks requires recognizing that not all solutions are technical in nature. Some defenses must be based on hardening the humans involved. Accepting that fact may require a change in mindset on the part of defenders.
Before (and during) a targeted attack, information about the target organization and its employees is useful to an attacker. This can be used to craft well-designed social engineering attacks that are more likely to be opened by its targets. It can also provide more information about the targets themselves, allowing the attacker to decide which individuals in an organization should be targeted.
Social media sites like Facebook and Twitter are a valuable source of information. Other publicly-facing sites (such as those of the target organization) can also contain details that can prove useful. However, one valuable source of generally private information may be unappreciated: professional social media sites.
Like in other social media sites, professional social networks encourage its users to share information. Unfortunately, the nature of the information shared in these networks — employment history, job titles, and others — makes them very attractive sources of information for attackers.
For example, the largest professional social media site, LinkedIn is already known for being the medium of employees inadvertently leaking information from their employer. In early 2015, engineers for chip manufacturer AMD inadvertently leaked details about next-generation products in their profiles. It is also known that several NSA codenames were added by US government employees to their profiles. These incidents highlight how information can be disclosed – even inadvertently – via LinkedIn profiles.
Active attacks on social media
It’s one thing to have information passively leaked on social media, and another to have attackers actively try to exploit it. We will demonstrate how this being done – by revealing some attacks on Trend Micro itself.Recently, we saw a wave of Viadeo invitations that were sent to the French offices of Trend Micro. (Viadeo is a professional social media network that is based in France.) It targeted several employees, including myself, and it all came from one Viadeo profile. This profile pretended to belong to an IT manager from the Trend Micro Australia office, who had been with the company for 18 years. The profile of this person was quite empty, and when I received the invitation and checked it out, it had only 4 contacts.
The profile also said its owner studied at “havard, new yord”, which could be a typo for “Harvard, New York”… which is odd in and of itself, as Harvard University is not in New York. Neither is there a town named Harvard in the state of New York.
This was enough to raise suspicion. A quick check of the company directory confirmed that there was indeed no employee with that name; no person by that name had been employed by the Australian office either.
It was clear that this was an attempt to gather contacts/information from Trend Micro. In response, we raised an internal alarm to our employees to avoid any potential problems.
What information can be gathered this way?
Using information gathered from professional social networks, a skilled attacker can essentially become an insider and learn much of what an employee knows. For example, he may know who someone’s immediate superiors are, who their teammates are, what projects they are working on, etcetera. This gives them much of the access an insider would have.Simply put, users are more likely to believe someone they “know”, and someone they have connected to on a professional social media site fit into this category. This can transform what was previously an “outside” threat into one mounted by an insider.
We’ve spoken before about the threat an insider can pose to an organization: now imagine if someone was able to pose as an insider. The information acquired could directly lead to an organization’s weaknesses, as well as where any potentially valuable information was located. The damage could be significant.
What can companies and users do?
End users can consult our article titled How to Spot Frauds on Professional Networks for tips and best practices on how to spot and avoid these attacks on professional social media.Organizations need to make sure that they have a social media policy in place. This policy needs to go beyond something simplistic like banning social media sites within the office. It needs to outline clearly what employees can and cannot disclose on social media. Different industries will be subject to different rules: a neighborhood restaurant does not need the same secrecy as a defense contractor.
The organization also needs to empower its employees to detect and report attempts to target them in this way. An incident response team must be able to take note of incidents like these and warn other parts of the company, as needed. Tools that can help employees find out if/when a person is (or was) employed by the company may be useful as well.
Defending against social engineering attacks requires recognizing that not all solutions are technical in nature. Some defenses must be based on hardening the humans involved. Accepting that fact may require a change in mindset on the part of defenders.
Comments
Post a Comment