Malicious attackers are tireless as they search for personal and professional information; and they want it all. That information provides attackers with the knowledge needed to coordinate an approach that will elicit the right emotional response to achieve the desired compromise or breach. Where are they finding all this information? Let’s take a look at one method used; social media platforms such as Facebook and LinkedIn. Doing so will help us in two areas: 1) it will inform us as to why we need to vigilantly protect personal and professional information, and 2) it will help to identify areas of vulnerability that can be strengthened through education and training.
Have you noticed how much people love to share everything about their lives on Facebook? Think of all the personal information that is posted about family connections, birthdays, anniversaries, work, hobbies, vacations, pets, the summer camp the kids went to, favorite restaurants, charities, social and political interests and of course, photos, photos, photos.
LinkedIn has become one of the most popular social platforms for professionals. If you have an account, think about what’s included in your profile; name, photo, location, occupation, work experience/history, education, special interests, and groups followed.
Social media platforms have made it easier than ever before for attackers to collect information. LinkedIn presents a real Catch-22. Organizations and their employees want to have an up-to-date and active presence. However, that presence can be exploited for social engineering and phishing attacks. Let’s take a look at a few examples of how social media platforms were used to gather information resulting in a compromise and breach.
In case you haven’t heard about ‘Mia Ash’, her Facebook profile and picture describe her as an attractive British woman with two art degrees and a successful photography business called, “Mia’s Photography”. In reality though, she is a persona created by Iranian state sponsored spies known as OilRig/COBALT GYPSY. Although the persona is fake, the pictures are very real. Literally hundreds of photos were stolen from several social media accounts belonging to a Romanian photographer and student. While using an attractive woman as a honeytrap is nothing new, our focus is on the role social media platforms played to gather information for the attack. If an initial generic phishing attempt did not result in the hoped for click, Mia Ash would use LinkedIn to search out employees from the targeted organizations with job titles that suggested administrative or elevated access to the targeted corporate network. When the employee with the right credentials was found, she would connect with him on LinkedIn about his job, her photography business, and various trips she took. After establishing a rapport on LinkedIn she would then invite the employee to continue the conversation on Facebook. After spending months cultivating a relationship with the employee, Mia would ostensibly ask for assistance in connection with her photography business; setting the stage for the attack. The compromise of the individual was not the ultimate goal, but rather served as the launching pad.
Mia Ash and Deloitte
In July 2016, Mia Ash targeted one of the Big Four accounting firms, Deloitte. She engaged a cybersecurity employee on LinkedIn in conversations regarding his job. Rapport and trust were developed through photo sharing and messaging. The Deloitte employee even offered to help Mia Ash set up a website for her photography business. The reconnaissance and information gathering had paid off. The stage was now set to initiate the attack, a phishing email. Mia Ash allegedly convinced the Deloitte employee to open a file containing some of her photos on his work laptop. The email containing the photos was booby-trapped with the malware dubbed, PupyRAT designed to pilfer credentials.
Mia Ash and a Middle Eastern Company
As reported by SecureWorks, Mia Ash used LinkedIn to search out and contact an employee from the targeted organization with questions about you guessed it, photography. Mia Ash and the employee messaged each other about their professions, photography and their travels. Mia then asked if he would add her as a Facebook friend so that they could continue their conversations there. About a month later she asked him to participate in a photography survey. Once again, the stage was set for the attack, a phishing email. A Microsoft Excel document, “Copy of Photography Survey.xlsm”, was sent to his personal email account. Mia told him that the survey would only function properly if opened in his corporate email account. He complied; the attached survey contained macros that he enabled unleashing PupyRAT.
Elianna and the IDF (Israeli Defense Forces)
Hamas operatives created fake Facebook profiles of attractive young women. Their goal? To entice unsuspecting IDF soldiers into installing a virus that would turn their mobile device into an open book. Contacts, location, apps, pictures would become accessible to Hamas operatives; compromising the soldier and potentially the IDF organization. How did Hamas operatives find their targets? It is reasonable to conclude that social media platforms, as well as online search engines, produced the information needed. All targeted IDF soldiers were found through public photos with tags and posts revealing they were active in IDF military service.
What Can We Do?
The persistent use of social media platforms to locate potential victims indicates that this method of information gathering is highly successful. Elaborate social engineering attacks were orchestrated with devastating consequences. In the attack against Deloitte, it’s notable that a cybersecurity employee fell victim to the con.
The dangers of overexposure, both personal and professional, on social media platforms is not a new topic for us. We’ve discussed it in our Newsletters, and in the Framework. However, from these recent examples it’s evident that we can’t let out guard down. So, what can we do? Here are a few guidelines.
When it comes to personal and professional information posted to a social media platform think ‘security first”. TRY THIS: Google your name and see what information and pictures are available. Ask yourself: Would I want anyone to see it? Should this information be protected? If so, don’t get burned by overexposure. Lock the information down with privacy settings, or consider not posting at all. Take the time needed to become a privacy settings ‘expert’. Here’s a place to start: Facebook’s Privacy Basics, including Manage Your Privacy and Staying Safe and Secure. Also, know the privacy settings on LinkedIn and how to implement them. Consider changing the ‘public’ and ‘all members’ setting to ‘connections’ only.
Before accepting social media connection requests, validate the user’s authenticity. Clear guidelines for social media usage, as well as education for identifying potential phishing lures are essential for executives and employees. Clear company policies need to be in place for reporting potential phishing messages received through corporate email, personal email, and social media platforms.
Let’s not be content with just a check box approach to training. Ongoing training that is both customized and interactive can mitigate the threat of a data breach due to overexposure.
“Tell me and I forget. Teach me and I remember. Involve me and I learn.” – allegedly Benjamin Franklin, probably Xun Kuang.