What Motivates a Social Media Junkie?

 Social media has been a theme that keeps jumping out at me with no reprise. Again this month I am revisiting it with another newsletter article. I wanted to address the question:

Why do people put so much information out there?

This question comes up again and again whenever I talk to someone that is not familiar with the social media space. They look at what is being done, and are just mystified as to how people place themselves in these situations. To those that have grown up without social media, and only share information with a few trusted individuals, engaging in this sort of mass orgy of information sharing seems like a foreign language to them.  I think part of the issue is that those of us in the infosec world don't see things the same way a lot of early adapters do.

Early adapters flock to new services. Then a day later attackers load in and go after this fresh meat. The day after that is when we show up and start trying to make sense of what is going on.

Lately this new territory has been social media, which has provided those of us that engage in any aspect of social engineering a treasure trove of information to utilize for whatever our goals may be. Efforts like last month’s profile, which started from some information discovered on Blippy and grew into a entire profile, happen all the time. It could be an employer looking at potential new hires, scammers looking for new sheep, an insurance company deciding if a claim is valid or not, or simply a spouse wanting to know what their mate is doing when not at home. Social media provides the raw information used to feed the information gathering beast.

As a neat little exercise, go to Youtube and search for the word "Haul" . Watch some of those videos and consider what you see. When I first came across this, I was really surprised. It seems like such a stupid topic for youtube videos, but there are so many of them. And not only that, look at how often they have been viewed. At the time of this writing, the top one has over 600,000 views, and almost 12,000 ratings. All for what some girl bought at a store? And that’s not really an exception, a number of these videos are over 100,000 views.

So the question enters my mind: Why are these videos showing up?

This is along the same topic as what we covered last month with Blippy: the need for affirmation. The plea of being judged based off of not who we are, but what we have. That if we are going to be stereotyped, wanting to control what stereotype we fall into. And perhaps a fair degree of people wanting to be told what is cool so they can mimic it and feel better about themselves.
In the specific case of a few of these haul videos, it motivation becomes obvious. In one, the girl in the video directly calls attention to the fact that she was going to quit making the videos. However so many people made nice comments, she decided to keep doing them. With that in mind, consider the ways she just presented herself for manipulation. This is a direct request for praise, and a clear indicator of where to start any interactions.

Understanding this motivation is key. Why would someone use Blippy? Why would someone make videos of what they bought at the store? How can we take advantage of this as social engineers?

Most times when social engineers look social media we use it as raw pools of facts waiting to be dredged. Then we use this information to build wonderful profiles chock full of information.  From there, a social engineer can launch various attacks such as phishing e-mail attacks that are targeted on interests we know they have. And this all proves quite effective.

But what if instead of stopping at that surface layer you went deeper. What if you looked at why is this target engaging in this activity? What is missing from their life that this is an attempt to fill? And is there a way I can prey upon this need?

If this sounds disturbing then good, it should be. Unfortunately this is much the same approach that predators of all sorts use when trying to gain the trust of their prey, online or off.

Let’s look at an example. Not long ago I attended a local event for those that are fans and supporters of social media. I found it very interesting to see what these people wanted to get from social media, and why they were there. I saw some interesting items that I was not expecting.

Whenever the economy gets shaky, people start to get uneasy. This unease can sometimes lead to people seeking out alternative income streams such as perhaps they will start selling Tupperware or jewelry. Or perhaps they will become increasingly concerned with their career, and how competitive the job market has become. In this concern they start looking for something to set them apart from everyone else.

Enter social media.

At the event I attended there was much talk about how everyone’s "personal billboard" was working. About their personal brand, and what it says about them. How you can monetize a twitter feed, and when is that not ethical. It was all about how they can ensure that their career will be solid.

However the interesting thing about this is, at this event there were very few that were already established in their careers. Most were not looking to protect what they already have, but instead were wanting to obtain what they desired.

In a way, they were all engaging in a SE of their own. Trying to mimic the image of success before actually obtaining it. Everyone was complicit in their attempts to validate others in hopes that the favor will be returned upon them. Social media was being used as a mirage directed toward their targets, potential employment or promotions at their current job. It was as if social media was the fertilizer they intended to use to grow their careers beyond what they currently had.

With all that need in the room, how quickly and easily do you think it becomes to infiltrate the various cliques? A fake profile, a good picture, some compliments, along with a few questions to make them feel like you view them as an expert and you are in. They will open any file you care to send, any link you email, or even sign up on your new ning community you have created. Once you become the one that is fulfilling that need in their life, they are compromised. The trick is identifying that need.

Now, granted I am only speaking about a subset of those that utilize social media. Not everyone out there is operating with the same motivation, or even the same level of desperate need. But from a social engineers perspective, this user base is a dream come true and is very much worth talking about. It’s like finding a remote island where the animals have not yet grown to fear humans. An avid hunter could take his prey with a butter knife as opposed to camouflage and a rifle. A bit disturbing?  Yes, but it is happening every day.

In many ways, this is why the information security community is two dates behind and the attackers are one. InfoSec has always done a poor job in understanding the motivation of the user base they are tasked to protect. In a concern over making sure that best practices are being followed and compliance is in line, information security often never stops and considers motivation the same way an attacker does. The attackers are just after prey they can bring down with a minimal amount of effort. They don't really care about anything else.

Next time you are utilizing social media in any capacity, stop and consider the motivation of those that you are interacting with or targeting. See if you can isolate what that motivation is, and see if you can use that knowledge to your advantage. This is a very effective way of both gaining trust and endearing yourself with your targeted community.

By Jim O'Gorman - A chief contributor for social-engineer.org and consultant for Continuum Worldwide


Social Engineering Assessments for the Business

Social-Engineering assessments within penetration tests are still not as prevalent as we would have expected in the security industry and businesses. With the ever-changing threat landscape companies face and the desire for criminals, black hats, and state sponsored efforts to gain unauthorized access to confidential information; still one of the easiest methods into an organization is through humans. We continuously hear the problems about poor programming practices with web applications, or the fact that the latest and great exploit just came out, however the large brunt of attacks occurring as of late have been direct attacks against employees. 

Never before have we seen such dedication towards businesses in an effort to steal and compromise information in the manner as it is today. With the growing knowledge around ensuring quality secure code, firewalls, intrusion prevention systems, and the same old cat and mouse game, users are one of the biggest risks -period. Understanding this, there has to be a clear way of tackling the issue of social engineering and personnel attacks, so that a business can adopt and incorporate test for these into their overall security program.

In 2008, Dave and Busters, a popular game and restaurant business in the United States fell victim to a social engineer attack where hackers impersonated a point of sale (PoS) provider and gained invaluable information about the Dave and Busters network to steal credit card data. In that same year, MTV reportedly was hit by a social engineer attack that compromised over 5,000 employees.

In the case of Google, hackers targeted multiple people within the organization by compromising friends of the employees and utilizing a zero-day vulnerability. These advanced attacks are focused on key information about the organization that can be used for a variety of purposes or to further aid in another attack. Overall, after the dust settled, Adobe, Juniper, Symantec, Northrop Grumman, and Dow Chemical were also targeted in the same attack.  

Most organizations see social engineering as a hypothetical scenario that doesn’t necessarily apply to them, the above stories show that from fun and games to serious defense companies can fall victim to these attacks. We always hear of breaches occurring from the web application layer, or that our data is leaving the company, but most companies truly have a hard time understanding how effective social engineering is.

Penetration tests are nothing new; the main goal of a penetration test is to show real world proof of concept scenarios that emulate what a hacker could possibly do. They aren’t a magic bullet to find every vulnerability and exploit in a network, but a facilitator to help identify how effective a security program is working. It is also a checkmark for the majority of compliance and regulatory requirements out there.  Penetration tests should absolutely be unrestrictive and allow full mechanisms an attacker would, this has to include social engineering. 

Without testing the controls around how a user awareness program or how well your security controls work against this type of attacks a company can be left wide open to this massive vulnerability. This can absolutely be one large risk that you aren’t accounting for. Lastly, the ability to present how a hack occurred to the management can provide additional funding or business drivers in accomplishing certain initiatives that you want to deploy through the organization with little fight. 

In stating this, a penetration test only goes so far, it’s a good test to see where you are at and where you need to go. Really diving down into protecting yourself…from yourself is a whole different aspect and challenge within an organization. You will never reach 100 percent of your populous unless you’re a small organization.  We are advocates of coupling a user awareness program that educates the users on the attacks however realize that we can’t educate everyone in the company.

You have to incorporate technological solutions that also prevent the users from hurting themselves. Strict controls around local administrative rights will essentially knock out large exposures to the business by at least 60%. Combine that with heavily monitored and restricted egress (outbound) points and this can easily reduce the threat landscape by another 20%.  Add a decent content filtering, HIPS, AV, and patched solution and this can cut back on another 15%. That leaves you with a 5% gap on protecting your user base and where hopefully user awareness can cover. 

This is where social engineering pentests come into play. It is becoming more and more prevalent that companies are beginning to ask for social engineering in their pentest quotes. When discussing this with your management, show them how effective it is by utilizing real world examples of these types of attacks and how the threat landscape is constantly changing. Use resources like the videos on www.social-engineer.org to show simple, yet real and effective attacks that happen in the wild.

Get approval to test and show how effective it can be with just one person. Most companies are moving or have moved (for a long time) to the risk based approach of information security. Looking at the sheer volume of numbers coming out towards advanced attacks around social engineering should be a large risk factor alone and proof that this method isn’t going away anytime soon.

As the statistics for identity theft, corporate espionage and social engineering attacks increases so must user awareness.  Education, penetration testing and a vigilant policy on how to handle these attacks can help secure your company.  There is nothing that can make you 100% secure against a dedicated attacker, but these principles can make it very difficult for them to gain access to your data.

Written by David Kennedy