Social media is the new black and everybody wants to be part of it. Posting one’s activities, sharing one’s thoughts, and reacting to other people’s posts have simply become part of our daily lives.
But to those who know what they’re looking for, this social media content can lead to a goldmine of information. It is through this goldmine—terabytes upon terabytes of data, that cyber criminals flourish, using such data to attack individuals and even companies.
How exactly can cyber criminals use social media to compromise online security and attack business organisations? Let’s discuss their methods.
Identifying accounts to attack
First off, cyber crooks narrow down their target to one or two companies. Once a company has been singled out, a simple search on social media platforms can help them easily identify individuals who are or have been connected to that targeted organisation. In addition, fraudsters can also find other pertinent work data on that person such as rank, position, employment status, colleagues, level of job satisfaction, and more.
These pieces of information can be used to create a profile study on this unsuspecting individual which could make him or her more susceptible to social engineering attacks such as password and phishing scams, tailgating, baiting and others. If any of these attacks succeed, the cyber criminals have means to access the enterprise’s network, as well the victim’s fellow employees.
Correlating accounts to find more targets
There is often a high level of trust among close colleagues and friends, and cyber crooks are quick to take advantage of this. They use the same malicious tactics on the initial target’s contact list, which creates another possible means of entry into the company. The information gleaned from the new targets could enable them to breach the security of the organisation through another department, possibly someone with higher access privileges, or even another company altogether.
Of course, cyber criminals can’t expect all targets to fall for their schemes and to obtain confidential information (e.g. login credentials and passwords) every single time. But the more potential victims they have, the more likely they will succeed at some point. The fact is, social media makes it easier for them to acquire more targets.
Exploiting force of habit
When dealing with their social media accounts, most people don’t put much thought into online security. It’s just a social media account, right? Wrong. In most cases, force of habits leads us to use the same login credentials and passwords in social media accounts as our email and work accounts. If users continue with this unsecure way of choosing passwords, social media could serve as a gateway to more important accounts.
The ‘one password for all accounts’ mentality, supposedly for simplification and easy recall, can actually put corporate accounts in danger. As the defensive user mindset of social media accounts is often on the low side, individuals will most likely fall victim to fake login tactics, fake websites, and password/phishing scams. Once the social media account is hacked and security is compromised, the work account could follow.
Taking advantage of diminished security mindset
A good number of employees are now more security-conscious when dealing with suspicious emails at work. Unfortunately, the same mindset doesn’t seem to carry over when these employees are already using Facebook, Twitter, Instagram, and the like. On social media, users tend to let their guard down, so when a malicious link is delivered, the person is very likely to click on that link, creating the perfect opportunity for infiltration.
The problem gets more complicated if that social media account was accessed in the workplace. As we know, a lot of people just can’t resist checking in on social media from time to time, even in the office. Once they click on a malicious link, online security is breached and a malware is downloaded. The user’s workstation will be infected; but worse, the malware (especially one with wormlike characteristics) could spread across the corporate network? We’ve heard of far too many data breaches to know that what happens next is never good for any enterprise.
Data Mining
Once cyber criminals gain access to a social media account, they can then easily mine data from it and use the information gathered for nefarious purposes. Personal data can be used for phone scams and identity theft. Pictures and videos which may have been viewable only to a select group may help cyber criminals learn more about that person’s company and colleagues. Private messages and chats may reveal guarded corporate secrets.
When hackers and cyber crooks manage to take it to the next level and actually infiltrate a company, the damage that they can wreak can be devastating. The organisation could fall victim to blackmail and/or ransomware, or could be subject to a shame campaign using accounts from within the company itself. Confidential data and research can be exposed. Corporate resources and network infrastructure could be used for a malware bot attack against other companies. There are just too many possible scenarios that all result in negative consequences.
Social media is a powerful tool for sharing information and ideas, and creating awareness and advocacies. However, it has also become one of the most crucial attack vectors for cyber criminals. The damage is not only limited to the individual whose account was compromised, but could extend to that person’s circle of friends and even his or her company. A higher level of awareness and improved security awareness could go a long way to mitigating this problem.